And potent Po1 400. >> This is, are slowly going through to 25 types of problems that will make you into an elite Boehner. And we're looking at number seven is called Got Milk. >> And we've observed that probably that's going to reference the global offset table. >> And also there's like a custom librarian here that when we go to run it, it's like, hey, I don't know where this library is. >> And so I wanted to see like, well, where is it looking for libraries? >> And so I was just kinda like copy that crazy library into a place where other libraries live. So I'm just gonna drop it in the lib folder. Yep, and now it's working great. Okay. >> So okay, interesting. >> It did cut me off their says interesting. The other thing that I want to try when I first get something like this is present P. >> Oh crap, that's a winner. >> Okay, so I think it's our chance to do a string format vulnerability. >> You already for this, I have listened to the audio of the Lego movie like a 1000 times because it was the DVD in our minivan for a while. >> So I've never I haven't seen it that often, but I've heard it a lot. And there's one of my favorite lines and there is they have like I think Shaquille O'Neal, he's saying he already for this. Oh, no, they were ready for that. Like when the bad guys kill him or whatever. >> Right? So let us dive in further. >> Or I guess you can say file Got Milk dynamically linked. >> But it's got this other crazy thing I think we could do, like LED got milk instead saying, hey, here's this G lib. >> My lib has an offset address and then lib C is in there somewhere, some sort of Linux thing. >> Maybe I can do L trace. What are their arguments? >> And it'll trace spoke while talking L trace Got Milk puts no flag for you. Lose, lose, lose function. >> Now that's ducks. >> Okay? >> Alright, so this is, yeah, there's a lose function that it calls twice. >> So it calls the function calls lose function twice. >> Okay? >> And they lose function is inside the like my lib thing. How big is my lib thing >> It's pretty hefty. >> Just break, there won't be a Sikh loons, no sin that lose a pound something. >> Alright, so here's the lose function. >> So e b x entry 0, It's weird. >> So it'll jump into another function based on this thing. >> Let's just do a straight jump. So like if I can get it to not jump, that's great. >> What is entry 0? >> Here's entry 0. >> Oh, there's a when, there's when function. Oh, I wonder if the lose function and the function are like near each other. So I also know that this is a problem. We've never done this kind of problem together before. >> Whatever. >> If we go knock this thing out, we're going to, it might take us hours. >> So we kind of have a question of like, how long do we scout for as good as good children are? Or do we go like looking at write-ups? >> Cuz we know looking at write-ups to try and get it done in an hour, or we can give it a college try and probably solve it on Monday. Alright, so we have a when function here. >> I'll put this in Discord, I guess. >> Own. Yep. Alright, seven Got Milk function here in Matlab. >> Function my one hour limit. >> Can somebody look up the address lose function. >> I don't know if there's any peanut gallery preference for expediency or authenticity. >> Preference >> Simulating loss. But it's interesting that it says that simulates a loss and then gives you a real loss. So we have a wavefunction, the loss function. >> And I think it's important that they're not too far away from each other. >> And I suspect because here's some of the things we can do. So, so when it comes to a, so one of the things you have to do is decide like where is the stack smashing and where is the blank box? >> Okay, fine. Things like, okay, great. >> We need to decide like where is the stack smashing part? >> Alright, so this is the simulated lose. Kind of wish I had a different terminals. >> I could see all this stuff. And then this is the import SIC C. >> This is a 32-bit thing. So, so are like grazed the stack for passing arguments and stuff. These are the print Fs where we get to. Alright. And then there's another call to lose. >> Oh, how interesting. Okay. Okay. Okay. >> Okay. >> I've got I've got some thoughts like kicking around in my head. And this is 400, right? So since this 0.400, it's kind of a more inclined to get it done then that into like wait forever and let people like, kind of catch up. So we also have a one-on-one to get going to say, here's my thought, they're calling this function twice, right? >> There's a lose, there's a win. >> Will probably have to figure out like what happens in the lose, in the when it like whether or not they need arguments and stuff like that or whatever. But we get a print F String format vulnerability string format vulnerabilities are really powerful. >> You get to kind of read whatever you want from the stack. >> You can write a small payload. >> Two, I think even to an arbitrary address. So you can write like, like I think two or four bytes to any address you want. >> And then the fact that this lose function gets called twice is pretty key to me because this, this is the fact that it has GO T. So like the global offset table business, there's two parts. >> The first part is using like the PLT And the second part is using geo t. >> And so this loads an address into local memory that we can then read from here and then write to that address. And then, and then predict where the library will have the lose function. >> And maybe we can change this from lose to win. >> So that's, that's what I suspect will happen here. >> So my suspicion is that, gosh, I wish is that lose gets called once, which will load the temporary address into PLT, GIT or something like that. We can write a small payload that address to change win or lose to win. It just goes to the one function instead, Exactly, exactly. >> So that's, that's my thinking here. So, so now here's how we go about kind of identifying an arbitrary, right in a string format vulnerability kinda looks like this. You put an address here and then percent $1 p, and you take a look at what you get back. >> So here it says Andy and an address. >> So I do this again, percent $2 p, I get that. >> So I want to do this over and over again until I see the address kind of matches the ascii for Andy. >> And then I'll know, then I'll kinda know what my offset is for where like this payload is getting stored. >> And so then I can use that address and then do an arbitrary write to the address where I specify the address. >> It's a little bit nutty, right? We should probably write a script to do this. >> Actually, we could probably crowdsource it too, since there's so many of us like everybody start from a multiple of ten into ten. And we're looking for like capital a is 41. So we're looking for like o X4 1414141. So I I'm working on okay. Job that identify the int x such that. So Chris, You can start at ten, Daniel, you can start at 20. You might have missed the copy the library into here to here before you get started, anybody else who is actively, actively with us? >> Hey Andy, it's meant here. >> A math Linsky, holy crow. >> Chao. >> Welcome. >> I'm into Come, come earlier by little a here. >> Where did you, where can I get the weight? >> The bottom? >> I've gotta guys, I've got it already solved already. >> Here's where you can get it. >> So, so, so welcome. I've got, if you've got a nice environment for doing polling, then you don't need to use this. But if you go to sec dot Prof. that ninja class 11 or 12, I've got a link at the top that, that will give you a kind of fresh Po1 Docker image. And and in the SEC soft folder, you can kind of get check out everything. And that has the kind of Twenty-five problems. >> Okay, awesome. >> They're also at sect that prof da ninja slash challenge this large zip file. >> Or you can go to GitHub and de novo sex soft and in the everything branch. >> Okay. All right. >> Thank you. >> Yeah. >> Oh, what was that command says? >> Mark? >> Yeah. Alright, Kristina. Ok. >> So Percent seven was that number x equal equal seven. >> Okay? >> So now what, so what that means is that percent $7 p is going to reference an address of our own creation. So how does this work? So I blah, blah, blah, blah, blah, blah, blah. So couple of things. One there, fire up midtone tools. And I like to do this. L equals L of Got Milk. >> And want to look at that Mother, f dot pl t and f dot g o t. >> Okay. >> So I'm a little bit shaky on the specifics of this, like how PLT and gt Work. >> So, so I, I think it would be worthwhile like getting to the heart of how PLT and gt Work as since we're missing our Po1 leader today. >> But this offset is going to be reliable for like where I can go into like the lookup table. >> And the geo t is going to be like a global offset for where I can find these functions later after it gets called once or twice. >> So like these are like reliable addresses where I can look up something, maybe somehow soap. >> So maybe the thing to look at is like PLT GO, PLT GO T, CTF write-up. >> I always get a little insult him. >> And they call these things babies and things, right? >> Right. >> And a lot to learn. >> Alright? >> So this is the part that brought me here. We can simply create a Rob came to leak the address a put at Jiao Ti by calling put at PLT bandwidth returned domain. >> It's an eruption to RDI SH and causes Okay, so Let's find the address of puts at PLT. Okay, so I think that's what we just looked up. >> Okay. >> So let's double-check this. >> I'm just going to copy and paste on it there. >> I want to look at like this lose function and see if it looks like a real address. No data in it. >> Oh, yeah. >> That looks like a real address. >> I don't know what the true essence of these two things are, but they both hold real-looking addresses that I can, that I can feel good about it. >> Alright, then so earlier, so I think the other thing that we've done in our scouting so far is we looked at this when function and we've looked at this lose function. >> I want to see how far apart they are like or, or more specifically, what do they have in common or not having common kind of as strings here, right? >> Because we can write a payload to an address. >> So it looks like now this is like an offset naming a. >> Maybe it maybe I want to subtract those two numbers from each other. >> Like if these were addresses, they're this far apart from each other. >> The text of that value, that's two bytes. >> So like if I've got this address or this address inertia, which is important or not. >> And I like add this to that. I feel like it's gonna overflow me and maybe I subtract and I'm not sure which, but I cuz what we can do is we can go to a spot and we can overwrite something. >> So I can, I can predict the location of these bytes and override them with some other bytes. And we kinda have to decide like what bites Dewey right where. And by the way, I notice in my head, but in terms of like **** School, we've not yet seen how. >> So, like string format tricks. >> So what do we got? >> Percent p shows a basically some Hex from the stack. Percent p. Percent p shows two values back percent $3 p.class >> The third value back new and et cetera. >> And then what we found is that seven is that we can write an address and then do stuff to it. So then I think so the thing that I have in my mind is something roughly like this, like 65,343, C and then P. And then like address here, we'll write hex of 65342 to address here. >> But but I think it might be one other thing. >> It might be that it might be that this, this might be I have this memory of HH n. So, so like I replace my P with an HH n, and that does something to write. And maybe different values of h ands are like how many bytes I want to write. So this is the thing we have to kind of like we got three or four things that he codes. I think I'm ready to look at a write up now in order to help us possibly get done before my nonsensical faculty meeting in 23 minutes. >> Okay, so let's go Got Milk right up. >> It is purple. >> That means I've looked at it recently but not today. Leak base of live my lib use GO T of loss function to redirect execution the wind. So that sounds like we're trying to do. Wow. Oh, yeah. Yeah, it sounds like we're trying to do so. Easy potency saw great simple format string bug the catches, you only get one printf call. It's hard to find leaks and overwrite a memory address at the same time. >> Global offset table milk K of 32 bit. >> So here you just discovered the seven, same as me. There's an obvious format. We know the seventh address from this hop. The sack is controlled by the first four bytes of our input. So we can use percent H N or present n string format specifiers arbitrary, right? >> Okay, so, so something in my memory banks is right about the PLT NGO t table in a binary contains the address to the programs linked libraries >> We usually use the Translate library calls from inside the user's code. >> Two addresses inside the library got the binary has no PIE AND partial rho, rho. So you can use checks set to get such information rate. >> This means the addresses of GET and PLT remain the same on every execution. Okay? >> So that's what PIE does is it leaves the library functions isn't ok. Let's get more information about the library that comes along with it. >> Dump. >> Ok. We see a lose in a when. >> Oh, look at that, that, that's nice. From an offset perspective, that's, that's cleaner than the way mine was. Okay? The function lose is called Buy got milks main. When function is the most interesting. We can find addresses the geo TDAP PLT entry from item, we got it from one tools. In fact, those look like the addresses that I was looking at in my terminal. Yeah. >> Eighty four eighty four eighty and AO ten. >> So there's the AO ten NGO tea. >> So there's lose, but we don't have wind. >> So we only get the thing to note is that we need to leak loses address to find live my sees base in memory, we need to put this address on the stack and then leak from it. >> So the plan is simple, redirect the flow of the program to give us more chances to leak and write, IE multiple print def inputs. >> Oh, whoa, what? Oh, okay. >> Wait a second. Wait a second. >> That this is this is a twist and turn I did not see coming. >> All right. So he's saying we need to leak this address in order to we get the getting of live MIC is base in order to get the address of main at when and then call that redirect the flow, the program to give us more chances to leak and right to redirect, we need to overwrite losses. >> Go T entry with an address after the first call to printf redirects me to overwrite losses, GET entry with an address after the first call to printf. >> We call lost twice in the program, one before the buggy print f and one after overwrite losses. >> Go T to this step one, read the lose address, overwrite the lodge and loss address to that. >> Step two, calculate the base of lib C by reading the loss address. Calculate the address of win. Alright, so let's see where he got this address from. >> Because I am, I have a feeling that this address is in the main executable. >> And he's going back to like he's going to use basically it's like, hey, I don't know how to do this with just one print f, So I'm going to do it with two print depths. >> I think that's the idea that >> Off here. >> Here's the write up that I'm looking at right now. >> So 866 f there. >> So it's going to just after the lose function. >> I mean, I think the point right before the printf. >> Okay. >> Well, yeah. >> Puts it around beforehand, right? >> Oh, yeah. >> Cuz it VAX on the, on the IBM wants isn't wants the same string format vulnerability or whatever. >> Yeah, okay, that's a, that's a pretty slick idea. >> I was thinking I was thinking, or we have to do it all in one printf. But he's like, all right, I'm just gonna jump back and do it again. Calculate the base of lib C by reading lose address. Calculate the address of Winnie undressed by taking whimsy base plus offset. When the program runs, another round of f gets, we shall overwrite losses. Go T entry with winds thing. Okay, so let's see contexts. Terminal when offset, lose offset. So he got those offsets from the obj dumped minus T. I did not have those offsets, right? So I need to use that to get better offsets, cuz those, those offsets are like, oh yeah, that's totally easy to to rewrite when address is when, offset plus base, yep, that's after. So we need to leak lib C, not lib C but lid my lab or whatever. Then print lose address and redirect to another f gets read loss address, overwrite loss address to that overwrite laws that address with new week after loss address here after loss, lower half is bottom actual OS, upper half is shifted down and okay. So this is him doing look. >> But when I was a crowdsourcing roughly hefty Python script, it is, yeah. >> Okay, so let's look at the hefty, cuz this is where we'll get some value. >> Alright, so lib my L, fine. Otherwise go remote, fine. For x in range 0 to one. Try number one, that payload is 99 underscores. Why don't we wouldn't do this. Oh, I get Y. I get y. >> Okay. >> Okay. All right, fine. 99 underscores. The first four will be lose address two. So this is definitely from that GO T, But just added two to it. Oh, oh, oh, I think it's because they can write two bytes at a time. So I'm going to override the top half and the bottom path. That's why this crap is happening here, okay? Because this, this, this trick here is very limited and you can only write, like Mike said, two bytes at a time. So lose address two and lose address and then percent plus range offset one. Alright, so this is, is this 6F, this seven E Is this like the actual straight-up printf, like seven minutes after the printf says 70 is after the print def 6F is before the printf. Okay. And I don't understand the minus 31 and the minus 13. This is, this is some mystical stuff to me here. Mystical enough. I almost want to look at a different right up. Yeah, this is way shorter. Yeah, this is way shorter if this is more in line with what I but change Lhasa GO TO address least significant byte match when a DOTs address the significant byte. So we check my lib C, you'll see that only the last byte differs. The other way to verify it is a weak lose that GO TO address a bunch of times using this, and you'll see the last byte remains constant. This is what I was looking up there. Ok, log info, great. There's the hex address payload. They just take that and then this is what I was saying. Yep, yep. I feel so smart now. So this is way better than that other one. The other one probably has some nice insights for how to scout around. But I do want to take a look at that last bite send line after. Oh, look at that. I didn't know potent tools had that. Wow, I didn't even know that. >> That's just changed my life too because I'm always like receive until and then send line. >> And that's like a combined receive until n sin line all at once. >> Okay? >> So the only thing that I'm not happy about is figuring out this last byte of the window function offset. So I'm going to try L equals L of this Yep. There's the 89. So so here's my sort of way to see that, or I'll say NDS, whatever it looks like. There's eight different ways to find this data. And this is the one that I had in my head. So there are nine is 137. 1.3.3? No, no, I'm confused again. I'm going to do 137 instead, 1.3.3, because I think that's a mistake and see if I can get this to work. Okay? So L equals L of Got Milk fm t lose 32 of that. >> Ok? So p equals process. >> Oh wait, it's probably gonna complain when it good. And then I think I want to send line P32, God, loss plus percent 13 $7 c dollar C. No, just see. I mean, I have to explain like we have to find some source material to learn this stuff a little bit better, but it's fine. >> And then percent $7 H H n should do the right stupid failed. >> Failed. >> So why so so try it with the three. >> Yeah, I did. I just I just swapped them back two or three. Oh, oh, oh, oh, no, I agree. I agree. >> Alright. >> So this is one of the things that haunts me every time we go to do one of these together. And that is that I lack the tools to debug this crap better. >> So, so seeing like what happened here. >> Okay, so conceptually, here's a couple of things. Alright, so let's take a look at, so I feel OK with like, OK, this is close. If, and then if I were alive and figure this stuff out, we'd be like debugging for hours now, but, but the concept is there. So let's look at string format vulnerability tutorials. >> Fine. >> Okay, alright, so I think this does a good job of highlighting what the thing is. >> So, so now for everybody listening, if you're totally lost wherever else, let's take a second to catch you up. When you do a printf statement, you typically give it a format string and then arguments. And so in this case, this is going to say, hey, I'm going to inject an entire character array, an entire string into what I put on the screen with this percent s. And then second argument would be that string. And it's like, Okay, I'm going to inject the string here, and that's what you write. Versus this one is just going to print f on a variable name that came from the user. When that happens, the user can start injecting these format strings. And since it was expecting an argument and it doesn't have an argument, it starts reading stuff from the stack and from registers and things like that. So that's the essence of the exploit. >> Is that clear for folks who are, are hanging around this wasn't worried YOU crisp, cool. >> So, so putting in the format like starts leaking things as if they were arguments. And so here this person's like putting in all sorts of stuff and seeing what they got. And and now you can see they start leaking things straight from the stack. >> Great. >> Okay, so and here, here's kind of what we're doing is like putting your key characters and then look for them and you can see an address that you can actually control. I'm going to log into my faculty meeting in my Bluetooth headset than one-year. >> Forgive me in advance if I get distracted. >> So all older, more authorized. Oh, oh woo. >> Okay, so here's this thing. Then this is the part. So, and this is kind of like jump straight to the right spot, so forth, perimeter on the stack. Alright, so then exploit. Great That is cool. It I think this is being way too verbose to get to the place I want. Alright, here's the Aegean part. >> So let's go to the agent here. >> Ok, this is the essence of it. So this writes 41 space is followed by the low state bits of the address of n is a character, then writes the value 42, although this is the, reuses the dollar sign n parameter. Okay? So this is like a character offset thing. So this here, this format string is going to make like a large, a long character, like a bunch of space is going to do a padding or something like that. And then an address or then like this will pull an address off where it's going to write that thing, but it's going to write like the length of that thing. >> Okay? >> So sorry, it's really distracting to have the faculty meeting in my ear. I'm sorry. So okay, so here's here's the stuff. Percent x dollar p for x, or percent x dollar x reads the sort of parameter from the stack for prints Then to write, We can do, oops, percent 99% x dollar n to somehow write int 99 to the address at the x position. And n means, or by its Hn means two bytes, HH n means one byte of space. >> You do not have a lot of space to write them? No. No. >> We're like wrestling to approve the minutes from last time. What we do is way more effective. >> Okay? >> Okay, so that's, that's the string format. Like you can, you can do a, a right of leg for two or one bytes and an arbitrary value. And, and I think that further like P32 of an address followed by that will write the value 99 to that address if you can find the correct value of X. So that's kind of the magic. >> Make a small payload, write it somewhere thing. >> Then the other part is sort of GO T versus PLT. If a function gets called twice, then the address in t becomes a new library location of that function. So in this case we lost gets called, overwrite the last byte of loss when then it gets called again. >> So that's the idea. >> Something is wrong in my implementation, but it might just be like, you know, actually, Oh, I know exactly what's wrong. I know exactly what's wrong. >> Oh, it's stupid. >> It's stupid. This is something land and would have immediately got right. It's a context, things. So in my in my pond tools They're doing it remote. So that, that wow, I just worked, but it's this by like I need to tell it to use the library here. So like phone tools, right? >> Contexts, library, school. >> Note that it's not finding the right library. >> And I think that's why bear maybe I think Landon had a write-up for us, problem three in his right up for problem three is this one. >> But where's the right of three in the write-up for probably, I think he had the line that I was after this environment LD preload. This is what was missing. All this can be satisfied. Oh, right. Yeah. Right. Right. >> That didn't work either. >> Okay. So at this point I'm going to say like, you know, land and help us debug whenever you're feeling better. Again, I think I think I'll stop and I'll and I'll say like, okay, that's like, you know, one hour ish attempt at problem seven, we can look at some other point tool or other like write-ups and maybe you guys can have a little bit more success than I had. So I think we're close, but I just have to like screw around somehow. >> But there was this LD preload business, I guess. >> I guess but O one but I'm going to go back to my other meetings. >> Thanks, guys. >> Thank you. >> Yeah. Okay.
Andy Novocin's Personal Meeting Room
From Andrew Novocin April 03, 2020
5 plays
5
0 comments
0
You unliked the media.