Pwntools ROP Binary Exploitation - DownUnderCTF

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

before we dive into this video i want to offer some love and give a little shout out to my good friend overflow some of you that have probably seen some of my older videos i recently did a giveaway with his original beginner malware analysis course now overflow is back in action and he's putting together a new advanced course that's available online at courses.xero2auto.com this time overflow is teaming up with some other researchers and they're providing with this course lifetime access to all the material and this new course has kind of a schoolhouse vibe to it there are new chapters released weekly there's custom malware samples that are kind of fine-tuned curated and hand-picked to train your reverse engineering skills effectively and efficiently you're on the fast track to learning reverse engineering they offer their material both in a video format as well as pdfs containing theory on low-level concepts like windows internals they even have an exclusive ebook all about reverse engineering several different modern malware families there's exclusive access to the zero to hero intermediate course containing more than six hours of content from exploit kits to even analyzing the asus shadowhammer incident right now the course has over 15 hours of content with more being added each week and the additional bundle contains exclusive access to the malware information sharing platform and sandbox which can be used to share yara rules newly discovered malware samples and more on top of that they even have a slack channel for the course so you can interact with other students you can share the learning process and experience not just your own learning but grow with others as well so i'm super excited about this course i hope you are too there's a lot of stuff that i want to work through in this especially for my day job i'm super fascinated by malware i want to learn a little bit more about that windows realm and get closer closer to the low level concepts get closer to the core with all this stuff so if you are interested in this sort of thing please please please go check out xero2auto.com if you are interested i have a coupon code just my name all caps john hammond and that will give 15 off to the first 100 people that use the coupon so jump in and let's go learn some malware analysis hello everyone my name is john hammond and welcome back from the youtube video today we're going to be looking at more of the down under ctf challenges and i want to put a disclaimer right so i'm going to be doing a binary exploitation challenge and you've probably heard me before i try to convey that i am transparent about the learning process and you also probably heard me say before i'm not the best at binary exploitation reverse engineering and some of that stuff i have a lot to learn in that regard but i want to get better at it slowly eventually surely sometime hopefully so uh this is my attempt at the return to what challenge that i had solved during the competition and it's been kind of cool to see write-ups and watch other people and see how other people solved it as well so i'll try and showcase some of that also but that's enough of me talking let's get to my screen and let's showcase it so here i am on the down under ctf scoreboard the game is over at this point um but let me take a look at that return to what challenge it's i guess rated medium and the dynamic scoring brought it down to 200 points it says this will show my friends and we have a dynamic remote target we can connect to with netcat we also have some downloadable files and i'll go ahead and copy that and so i can download it i'll fire up my terminal here hop over to ctf duct and i think i had in the pwn category i'll make a directory for youtube return to what and let's hop over there w get this thing down i'm going to use attack capital o to save the output file because i see the real name is returned to what hyphenated i just don't want that token in my file name because it's going to be really messy there we go now i have that returned to what file and i'm just going to run the file command on it to see what it looks like what this thing actually is and it is an elf binary or linux executable 64-bit that's good to know so we're going to be working with registers of rax rbx rip etc rather than eax e for the extended uh 32-bit registers now we're working with the r so larger than that and not stripped okay so we should have some debugging symbols we could look at um let's go ahead and connect to that remote service just so we kind of know what we're up against i'll grab this netcat link and i'll just slap it in my terminal here it says today we'll have a lesson in returns where would you like to return to didn't do anything okay that didn't work weird so we got to figure out what this is what this binary file is and what we can do to exploit it given the name of this challenge return to what originally i thought like oh is this a return to lib c attack um and i thought like okay maybe that's something feasible i've done something like that at some point in the past and maybe i could tinker with that one more time as i learned more about it as i kind of unfolded i realized it was a different kind of return reference and we'll get to that let me just kind of walk you through my immediate process that's really what we're working at here we could just go ahead and run like stuff simple things like ltrace or s trace i should mark this as executable so i can actually run this binary locally there we go and i can run something like ltrace and it looks like i set a virtual buffer these are probably all things so that the remote target will behave prints out all this output today we'll have a lesson in returns would you like to return to and then i see it running the gets function which is peculiar and interesting because gets is a bad one if you actually check out the man page for gets i think it's man three to see the the programming side of it is that right yeah i'm using uh batman or bat the repository for nice color-coded command line stuff if you want to have color-coded man pages and cat files or like to be able to play them on your terminal go check that out the good description says never use this function so it's it'll read a line from standard input in the buffer pointed to s until either a terminating new line or end of file which will replace with the null byte no check for a buffer overrun or overflow is performed and you can read more about it in the bugs section here it's impossible to tell that knowing the data in advance how many characters gets will read so that is our immediate and knee-jerk reaction uh flaw and vulnerability that we could latch onto if we want to do some other things simple stuff okay maybe the flag is just in the binary we could check it out with strings and that was that command that i ran so i see something interesting volume here maybe that's the vulnerable function these are the strings that it prompted out nice nice and that was just that strings command that i ran obviously okay this uh is is very very basic and fundamental like study and reconnaissance that we're doing uh we should really be doing some static analysis and something like uh a disassembler between guidra or ida pro or r2 radare 2 or hopper i can open it up in hopper i can also open it up in guidra let me see do i have giger ready readily available i do let's see if geidra will behave with this i have a pixel size window okay looks like it's good i have some stuff old from google ctf let's import a new one let's go actually to can i type in this so i don't have to i can't type in this that's stupid ctf do ctf phone youtube return to what return to what load it up yep okay okay and then let's go ahead and draw that thing boom it has not been analyzed yes analyze it's the first thing i learned when i was working with r2 or radar 2 you're just passing a bunch of a's so it's like analyze analyze analyze tell me everything you know with that we can go take a look at some of the functions in here i do see a main function i don't know how well you can see this so forgive me maybe we should do this in hopper i don't know if i can zoom in on that at the very very least but i'll copy this code so you can at least get a better idea as to what it is and what it's doing i'll put in sublime text is the main function and all it does it says puts okay today we'll have a lesson in returns and then it calls that vol function that we saw okay so if we click on that vol and we go to it we should be able to kind of see that here over on the right hand side for its pseudo code disassemble vol it looks like we're going to be reading into a character array or a character buffer a string potentially 48 bytes where would you like to return to and then we run gets on that input and that's literally it we return out of that function we go back to main and there was nothing else to do so it's done and over all we do is we run gets gotcha so this looks like the setup for a classic and common buffer overflow uh and typically you could see that in a couple different ways you could see that with one pre-planted like win function where it'll just display the flag for you or it'll give you a shell and that's nice and easy because you just grab the address of that function and you overflow to the point where that function will be called and then game over you've won other thought for that is if that binary is running with an executable stack or with dep the data execution prevention or nx for non-executable bit if that is off if it's on then we don't exactly have a lot we could work with there we go okay so i ran checksec which is like checking the security functionality of a binary there i believe that's part of pwntools yep and it looks like okay we know we have a 64-bit architecture and nx is enabled so we can't execute off the stack so we can't use shell code that would be the that would be the the avenue we would go down if we were to be able to execute off the stack we would try and load some shell code into a buffer potentially the same one that we have given our input and execute it so we could run arbitrary code we could cut a flag we could run a command we could get a shell we could do whatever we'd like with that maybe carve out a code cave whatever you particularly want to do in this case we can't do it so crap okay what do we do regular gets function that will give us a potential buffer overflow but nothing to easily do with a buffer overflow that's annoying right gimmick here and this is where we'll transition to okay our actual agenda uh if we have this buffer overflow and we know we're not doing a return to libc attack we know we can't use shell code we know we're not buffer overflowing to any other potential function or anything what could we do with return oriented programming return oriented programming here we go return oriented programming or rop is this computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing so that executable space excuse me executable space protection is what we just looked at nx is on we can't execute off the stack and we don't have anything that we could easily easily latch on to so with return oriented programming you essentially are wanting to find small snippets of code or small portions and fragments of the binary itself of its real instructions that we'll do something in a function and maybe i can find this in ghidra well we'll get portions of of code and instructions up to a return function because that return function would normally allow it in the program to bounce back to where it was previously in its operation so you look for just what might come before a ret call or return call in this case it's going to pop rbp or another case it's going to do something else and you'll try and find as many of those things as you can and those are going to be our rop gadgets these tiny tiny bits of code these fragments that allow us to beat bop around the computer binary and eventually chain together what we want the program to do maybe call a function or load arguments and do particular things that's what we can do with return oriented programming or rop so you'll chain wrap gadgets the way we could do this um i again rob gadget uh don't quote me on this i think that is from pwn tools let me do a a quick google search drop gadget i can type is in maybe it's uh okay it's product with capstone yeah so it's not strictly prone tools sorry forgive me but it is something you can pip install rop gadget is super duper easy you run rob gadget and you say oh i need a binary to actually look at so okay you run tac-tac binary and then we pass in our return to what program so this is going to be super-duper cool because this will show you as much rap gadgets as it will find and you'll notice at the end of every single one of these obviously it ends with a with a ret or a return or something that will bounce it back to where the program was previously but you take these small snippets of code whatever they might be doing in assembly or the actual instructions of the computer program to slowly build out and load things and load things into registers to be able to call and execute other things okay that was a long winded explanation that we probably didn't need to go over because a lot of you already probably knew what rop was for those of you that didn't i hope you enjoyed that quick safari crash course deep dive uh now now that we know what we're doing we're gonna end up using rob gadget we can see all of these potential things will help us get data into registers and that's going to be super duper important for us because if we want to run code if we want to create an exploit obviously we want to get a shell right we're going to fire this off to a remote target and we want to get access to that machine we want a shell on that target so we probably want to call system and execute a command to get us a shell in order to do that we need to stage the arguments which are going to be translated as registers we're working what we're working with in assembly here we need to get those aligned with the proper values in the arguments since we're on a 64-bit processor 64-bit calling convention the way we're going to end up doing that the way that we have to get those arguments in the right place is very very specific if you were to google x86 calling conventions x86 that's going to be 32-bit right we want particularly 64-bit so we'll go over to this down section x86 hyphen 64. down here there are two ways to do this you could use the kind of the microsoft rendition of x64 calling conventions you also have the system v excuse me your system i guess 5 system v amd 64 api this is the system v 64-bit rendition of calling conventions and it's followed on linux and pretty standard among unix and unix-like operating systems the first six integer or pointer arguments are passed in registers rdi rsi rdx rcx r8 r9 et cetera et cetera et cetera nice okay so we know we need to get our arguments into rdi and then rsi for other arguments et cetera et cetera that's the gleaning information that we needed to get out of that to understand and know how that works this is great this is good uh problem is we're probably going to end up working to work we're probably going to end up wanting to call the system function but that was not in the binary that we have here we have i guess main which is the their defined function vol again their defined function and we have gets and puts so that doesn't exactly help us we need system but this is probably going to be ran with lib c or the library of other c functions but we don't know what version of lib c the program is using like we could see it on our host but that doesn't help us we want to know it on the target we need to know it on the remote service so we need to go ahead and get a leak out of this program to be able to find where are you putting your functions how are you defining the structure and the the layout of the code here when you run this program where is libsy and all of its functions being loaded so all right i've done a lot of talk now let's kind of set the stage let's start to create a python script and let's work with this i'm going to be using tools so i'm going to from pwn import all and then i'm going to load up this binary as an elf object we can do that nice and easily with pwn tools so i'll just say elf equals elf and then if you wanted to let's just go ahead and print that out lowercase elf is going to be my object and variable name i can see the sun starting to come in here so if i get a halo on the side of my head fair warning let's fire that up okay and we've loaded that binary and you can see it's going to give us that check sec output very very nicely for us great with pwn tools you can do kind of some peculiar stuff you can actually check out the symbols that this binary might have there's that print function over there and i'll spit this all out and that's a lot of output and it's gross and it's hard to look at what i like to do is actually import p print because p print will allow you to like pretty print and that will allow you hey uh if you have a giant blob of a dictionary value or a big long list and you want to kind of get that output line by line you can print it it is relative p print module p print function so you have p print dot p print i prefer to just from p print import p print so you only need one p print i've said that word a lot at this point let's stop doing that run this and now you have a much nicer and cleaner output so these are going to be the locations kind of hex kind of uh where they are the data that they're loaded into in the binary at that point so you have our von function that we saw there it's python's denoting it in decimal but we can know okay regularly that would read as a memory address in hex you can see the same thing for gets you can see the same thing for puts etc etc and of course we have entries in the got the global offset table or the plt the procedural linkage table we really care about okay where is the global offset table address going to be because we're going to want to use that to determine where our puts location will be or our functions will be or our gets location will be relative to the libsy library that we load so let's start to work with this a little bit more we know that we have a potential buffer overflow but we still haven't found it yet we've just kind of talked through it so forgive me for that let's go ahead and try and hammer this binary when you run return to what and it asks you for input you probably would just hold down your a key be like ah i don't know and you might get a segmentation fault question is where did that segmentation fault occur what is the value of your instruction pointer did you clobber the instruction pointer or rip that register so i'm just going to check that with d message and it looks like it got a general protection fault way down here so i probably had a little bit too much a's in there i want to be able to know how many a's or input that i provide the character that i'm going to use to overflow that buffer so i'm going to end up just sending it as actual i don't know string that i can multiply and manipulate with python i'll use python tag c to run just a simple command as a string i'll print out the a character 32 times and i'll pipe that into the program 32 characters didn't seem to do anything so let's try and amp that up i'll bring that to 42 characters still no seg fault so maybe that's not enough to fill the buffer and we saw in the code anyway that we know we have a buffer of 48 so we've got to be just a little bit after that how if i bring this to 52 it still didn't crash okay what about 62. there we go now i see a segmentation fault let's check out d message one more time and awesome i see a seg fault at four one one four one four one four one four one so all of our a's all of our hex representation of a um i have one two three four five six in there and you can tell this is a bad instruction pointer so i wanna take out those six a's i want try to i want to try 56 and i want to see if 56 is the sweet spot where i just barely touch the instruction pointer and now it's clobbered with a null byte or a zero it looks like it is so 56 is that sweet spot that's where the offset is where i can start to make a mess of that instruction pointer that's good for me to know because i can use that in my in my exploit let's say offset is going to be 56 and let's start to automate this once you have this l file you could simply run elf dot process and you'll have now a communication like vehicle right you can interact with that process you have some pwn tools tubes to interact with that so let's do print let's take note of that offset before i die drive away let's try and receive information from this p dot receive and let's python 3 ape so i can run that script and there's our beginning line today we'll have a lesson returns where would you like to return to i'm going to receive until new line so i can be a little bit more explicit in what we what data we get and when let's do that twice there we go and now we should be at our input option it should be it should be asking us and allowing us to type something in so let's put together a payload let's try and say payload equals um let's create a list here this will be kind of fun because we're going to smartly join together what our exploit chain stuff is going to be we're going to use that a value times our offset so we know that we flood up to the point of the overflow and we also want to determine where we're going to go next uh i'm just going to actually end it sending it i'm going to end up sending it like bs just so i can verify that okay we do have our instruction pointer overflow we can clobber that and i'm going to join this payload together i'm only using it as a list here so you can kind of visually see the pieces of our payload but then i'll put it all together into one line so i can just simply p.send line our payload and then make that process interactive okay and it should error it will it will receive that segmentation fault in our case right let's send it there we go switching interactive mode got end of file while reading an interactive and it just simply died we were got a segmentation fault or a sig sev if i check out d message did i send it too much stuff i might have let me turn that down or maybe i just won't be able to see it there we go no no i got our four two four two four two four two so sent a couple b's good rather than our a's but we know that offset is correct that is that is what we want there okay enough of me talking now let's get back to what we want to accomplish we don't know where libsy is or where all these functions that the binary has loaded are so we need to be able to determine that but by default we don't have a memory leak that's not something that our program will allow us to do naturally within the operation functionality of the program but since we have that overflow we know we could call other functions like if we wanted to you could just simply run vol one more time i'll show you that we were able to go ahead and do that elf dot symbols earlier if i were to index that with vol it should bring us right back to the volume function let me show you that ape and i need a bytes there so let me actually obviously that makes sense right that's a good point that i should bring up we said elf dot symbols vol and that only returned that integer value or as to where that function is in the program we want to go ahead and pack that so let's do p64 and that will put it in the little endian and the correct endianness notation that the binary will be able to read it and understand it so let's send that along there we go and it says today we have a lesson in returns where would you like to return to and i sent it the overflow and the address of vuln again so i can get back to that bone function and there we go it just ran it where would you like to return to so we ran vol twice we know that we have control over this program because of this overflow cool what can we do to get information about how this program looks at runtime where can we get this memory leak well we know we have puts and puts will display something out to us so we could use puts to get the address of puts which is funny right we could use it to get the address of gets we could use it to get the address of whatever we'd like that we have access and invisibility on within this program so let me try that i'm going to do that with pwntools and i'm going to use a little bit of pwntools magic here i'm going to say rop equals elf or excuse me rop of elf now pwn tools allows you to do rop or return excuse me return oriented programming it's kind of overpowered and and really really cool uh but it allows you to take the concept hey conceptually i know that i need to call this function and i know that i need to uh pass in arguments within rdi and all right are all the other like registers that we've researched and looked up earlier and it will kind of put that away for you so you can focus on creating your rock chain it's kind of nice so we if we create that rop object we could simply put together a rop dot call and let's try and run puts easy peasy it's going to be able to determine a no or at least it should be able to be uh determining and knowing okay where is this going to uh put excuse me it's going to be able to know the location of this in the binary if i just include this as a string i don't need to explicitly say elf dot symbols puts or else dot plt or g of t it should be able to track that down when we're calling it but we do want to include it in the arguments so if i were to say puts and then i'll use a list here for the arguments of that function let's use our elf dot got puts there we go and now we'll try and call our voln function just to go back to where we were previously so that creates this little rock chain for us but we actually need to put it in our payload so let's do rock chain and then let's see if that will work for us i might not have that syntax right let's try it one more time or maybe it does need me to be explicit let me do that just to be sure let's do elf dot symbols puts and elf dot symbols vuln to try and send those along there we go and that still failed maybe oh i should probably explicit i should probably be explicit about the architecture here let's do context.arc equals amd64 for a 64-bit processor in our architecture just telling pawn tools like yo this is what we're up against and let's see if that behaves please there we go okay cool so this payload this output right this data that we've just received is going to be the value of puts or where that puts location is and how we're loading lib c so let's actually extract and carve that out i want to be able to see that data let's do p dot receive until as we did earlier and let's just say this can be puts and i want to print that out let's do a log dot info so we're being very pwn tools like log.info puts found and get inside the string please at uh let's use an f string so i can really easily just throw in like hex of puts easy peasy um and i should probably strip that yeah let's let's do uh r strip to get rid of the new one at the end and then let's try and l justify it so it's gonna be padded with eight null bytes right see that let's see if that works python38 ljust argument two must be a byte string of length one not a string oh sorry that does need to be bytes because that was read as bytes original hex number bytes object cannot be interpreted as integer oh that is that is it's going to be returning to me as byte so i need to get the numeric value out of it i think i need to u64 that before i do all this let me just make sure that it is actually what it should be no uh can i print puts yeah so it gets it uh but we need to strip it r strip as we did earlier sorry i'm going to be frantically going back and forth and i know that's not helpful to you there we go okay now let's take the integer form of that so let's use 64 and unpack that there we go unpack requires a buffer of 8 bytes ah so that's why we need to l justify that of 8 and b x 0 0. send that along okay there we go and now we can smartly print that out with our log info so we did find the puts value there we go puts found there and we want to now look up where that might be in lib c so i'm going to use a live c database over here and i have this good one online libsy blue cat me so let's look for where puts might be with this address i'll do find and now i found lib c6 amd642312 ubuntu uh so this is probably definitely my libc version which doesn't help us right because we still want to do this for the target let me download this anyway just to kind of give you the proof of concept and then we can trigger this and switch this to do it for the online or the remote target actually you know what lo no no we've been we've been going on for a long time already let's just do this on the remote host so rather than running a local process let's do a remote connection of that chal du ctf and i think it was what 3001 i'm a reverse search my netcat connection sorry 30 000 three three zero zero zero three there we go now let's see if we get some good output for it and we don't need to print these things anymore let's make a let's make a nice exploit python3 ape connects to it loaded gadgets puts found at this address and we're back calling vol one more time because of our rock chain define that let's look for this database there we go and i see a lib c6 2.27 ubuntu amd64 so i want to look for the amd64 stuff because i want to make sure that it's going to be the architecture that we know this amd64 makes sense to me so let me download this i'm gonna go ahead and put this in the same directory as our script pulling that down there's a little bit of stuff to it let me pause the video okay that has downloaded so now let's load this lib c in we found the address of puts so we can get the lit c so lib c can now equal an elf of this file you can take in the elf representation of that libsy that we downloaded and we can go ahead and start to build out another rock chain let's do rop on lib c super easy now let's go ahead and try and call what do we want for our rock chain let's call system i guess let's use like libc dot symbols for that if we're being explicit as we as we have been just just for maybe good good measure and then we need to pass it something that we want to go ahead and call we want to call bin sh right we want to call a shell so we need these arguments passed in as a list um and you could use lib c dot i think it's search to find an instance or location of a specific string and that's probably going to end up needing to be bytes so let's pass that b prefix in and i'm going to use bin sh and then i'm going to include a null byte back at the very very end because we want it to terminate that string so this will return an iterator this will return like a list of things you can loop through so let me actually wrap that in next so i can just get the first occurrence of it that should spit that out for me right let me uh actually just write out that payload uh after that after the fact so we can make sure we can see it in there so we've called system bin sh and now let's just try and call like exit so we can cleanly get out of there let's run slipsy symbols exit and that should be a-okay so because we know we've got ourselves back at the von function previously we can just start to build another payload so what i'm going to do is i'm just going to take all that up there and the offset remains the same we have a new rop instance and now we're going to end up trying to call system bin sh and exit and cleanly work through it so we send line and we go interactive so let's see if this will work fingers crossed actually before i do sorry sorry i want to go ahead and do like a with open payload wb wb to write bytes and let's uh as h h dot write payload just so i have the sanity check to make sure okay that libsy will work a okay let's python three ape puts found loading gadgets for libsy that's gonna take a long time that's okay and now i have this payload file so i'm going to hex edit this payload it has aaa and seemingly nothing else interesting in there where's my bin sh payload did we find bin sh did we run system why did that fail oh you know what i'm sorry i got ahead of myself i was just rearing to go and i kind of forgot the fundamentals hey once you've found libsy we need to put the base address for the runtime of that program uh in the same context as our current rendition of libc we need to tell it hey okay libsy i want you to map your base address to what is currently being used and ran with that program so because we found the puts address from the currently running program in binary we need to be able to say hey libsy your address should actually be some quick math we need to take the puts address that we found minus your rendition of your already loaded puts value so that should kind of stabilize and normalize our lipsy and make it the same address as what the program is is running it as and where it's loaded so our libsy that we found and just take the difference as to where you previously had libsy and now let's actually just log that out let's say hey libsy base address determined to be libsy.address and let's try to run that found our puts there we go we found our lipsy base address and that makes sense that those trailing zeros makes this look normal insane to me how about our payload can i strings that payload can i hex edit that payload i don't see a notion of bin sh in there but you know what let's try and fire it away maybe my maybe my payload was kind of muffed up let's just try it send it let's see how we do python 3a load of 14 gadgets no did it die did it die yeah it died okay got eof i tried to run commands i tried to see if it would get the shell did we no no yeah okay so we we load it and then it determines the address totally fine and that all looks right i'm just gonna maybe we don't need to be telling it to use lipsy symbol system let's just use system and have it try and get that on its own maybe that will make me feel a little bit better and i removed that right but i now i realize i want it back because i like that sanity check so i control z to get that right payload down because i want to be able to see if it will tell me the payload that i'm working with next libsy search bin sh and that's all right go to gadgets it still died hex edit payload what the heck let me we are getting that value right let's call puts before we jump in to see if we see it it has been sh what what and i am okay okay okay so that shell worked that shell worked nice good job great work everybody um this is exactly what happened when i tried to solve it the very very first time um i got together this system calling lib bin sh calling bin sh to get a shell and i didn't know why it didn't work i would run it and it didn't give me the shell when i would have expected it to and then i just tried like debugging i tried to put a puts here and just make sure that i was actually finding the string that i thought that i was finding and then when i included that the shell came through and i don't know how or why that made the difference because i think like oh it's not stack alignment is it it's not uh it's not doing anything specific or peculiar just by calling puts beforehand is it is it clearing out registers that i'm just not aware of i don't know why that worked uh regardless we do have a neat nice little exploit script so if you can follow along let me do a a quick crash course an overview because i know i went through a lot and kind of got pulled in different directions that probably wasn't the best for learning but we're working with pwn tools we don't need prints anymore i set the architecture for this as 64-bit because we know we're working with a 64-bit binary we did our own testing earlier manually and found the offset as to where we can start to overflow the instruction pointer is 56 characters in or 56 bytes in so we're working with our local binary we connect to the remote service and then we do some pwn tools magic to start to do some rop or return oriented programming first we need a memory leak so that we can actually determine where are these functions being loaded specific to this binary at runtime pertinent to its libc so we use that puts function to actually tell us where is the puts function we use it to display it on centered output so that i can see the address in the global offset table as to where that function is that's our memory leak that's allowing us to go find and gather the proffer the proper location of that value and get the lib c that we need we call back to the original vuln function so it allows us to once again send another payload and we put together this rock chain after our offset we send it along and then we leak out that puts value with that we could use the lib c database to try and find that version of lib c and we could determine that proper base address just by simply okay calculating that offset and finding the difference there now that we have lib c it's easy we can run home we can just go ahead and call system with bin sh and get a shell for some reason and i'm excited for hopefully some of you to explain to me why did i need to put this other puts in there i'm still trying to learn always been transparent about that uh why did that work payload new regular offset as we did before and this rob chain to load libsy send that payload along we don't need to write it out anymore because we know that that would work i'm also not positive why it didn't include the location there but maybe it was just getting the values or like the location of of this business h and not actually the string literal string itself so i'm totally okay with that i think now that i've i've stared at it enough but thank you for putting up with me and tolerating that so okay this has been an extraordinarily long video and it really didn't have to be but i wanted to get in the weeds as to what all of this is really doing and how this makes sense so let's give it one more bird's eye view you can see all of this code and we'll put it side by side our exploit script running and off in action and we can get a shell on that target system so who am i apparently we don't have a username but we do have id values and we can go ahead and cat that flag awesome awesome thank you so much for watching before i tune out i do want to showcase some of these official write-ups um they had some over on their official stuff they have that noted here in ctf time can i get to the events please oh my gosh there's a lot of scrolling on the ctf time page event tasks and write-ups great great let's go check out return to what six write-ups cool let's open every single one of these so let's see what everyone's doing just for our own learning gets provides the buffer overflow okay they do the same thing we do essentially with rop i wonder what that is the goatee table is leak with the call to puts yep that's only possible because pie is disabled does that make sense position independent executable would kind of rearrange and make that very very hard to do if the position independent executable were on then i believe that entry for the that function would be a different place every single run time i mean it is but we wouldn't have the actual offset we wouldn't we wouldn't have the real value it would be some some distant location oh they use one gadget nice pone scripts that's cool what holy cow you can just find with lipstick database wow i need to look at that okay slick this is why you read write-ups guys you learn things you had never seen before that's awesome what is this hex what is this hex 38 python is that 56 yeah it's just the offset that you found okay how did you did you like automatically find that did pwn scripts just like figure it out for you all right i don't think he covers that ooh okay so yeah they link pwn scripts over here and i definitely want to take a look at that very cool that's slick all right i want to look more into that and i hope maybe that's some gem that you got out of that if you thanks for sticking with me for so long long long video return to what they use raw here yep okay they do the exact same thing we do theirs is a little bit prettier than ours because they're using big capital letters nice okay yeah same thing for what we do earlier you get a shell easy peasy return to what let's check out this one once again using rob all using rob that i thought the official one let me let me pull it up i'm gonna get the discord open okay here we go so the official discord excuse me the official write-ups that they posted in the down under ctf discord did include um kind of the raw rendition here where you're not using the pwntools wrapper to do rop you are a little bit more manual and including your pop rdi so you can get some argument into the specific uh register you can you can get your argument in there as needed for either puts or the bin sh that we have to supply for our system loop c so that's kind of neat and good to look at you do their offset you use pop rdi and then you get the argument that you want to pass in for the got value of puts and then you call it with puts and you go back to the main function nice and easy and then after that we leak out the memory address as we did earlier looks like we go ahead with libsy bass what is this constant value does that need to be there what is that leak minus okay that must just be like is that their known value of the base address or something and then they add on the original ellipse base oh is that like where it's loaded from for that binary and they're adding in the others for system and bin sh i'm curious what that is yeah at libsy then okay okay that okay okay send other that that second payload very cool very cool okay thanks for thanks for thanks for bearing with me everybody holy cow that was very very fun uh i hope you enjoyed it a little bit they were it's very very cool for me to look through write-ups and to kind of understand a little bit more it's also very cool and fun to solve it in the moment but uh i i definitely want to look into this what is that pone scripts tool that's something i've got to check out i hope you guys do too alrighty this is a super long video thank you so so much for bearing with me everybody you've been fantastic you've been an incredible audience i'd like to thank the academy i'm just kidding this is stupid let's try and end the video before it gets too weird thanks so much for watching everybody if you did like this video i know it's been crazy long please do press that like button maybe leave a comment maybe subscribe you know i'm super duper grateful thank you thank you thank you i can't thank you enough i hope to see you this weekend for the b-sides boston capture the flag competition i'm hosting it i've got a good team of people incredible challenge developers that have put together a ton of great challenges and you're going to have a blast and i'm really looking forward to it so please please please come hang out besides boss dot ctf dot games i'll see you there have a great day everybody i love you bye [Music] with [Music] you

Info

Channel: John Hammond

Views: 33,786

Rating: 4.9567027 out of 5

Keywords:

Id: i5-cWI_HV8o

Channel Id: undefined

Length: 55min 21sec (3321 seconds)

Published: Tue Sep 22 2020