So we're going to try a charming shell code problem, problem 1225 problems that, and this is Po1 400. Slowly walking our way up, leveling up. Everytime we I did a bunch of investigation upfront that I didn't record. So I'll just take a look at a few things here that matter. One, in this problem, when we do have canaries and the addresses of Maine are going to change every time. But we do have an executable stack and we have rewrite executable segments. Did a little bit of work to validate that. We have a read write executable BSS segment. So in theory, if we can write something into there and direct the control flow to the place we write that. We can write shellcode when we run the program itself in weeks two addresses. So we need to figure out what are those two addresses? Trier, complimentary snacks and then whatever is I put here, I'm going to get a seg fault. So here's what we've sort of deduced from our reversing three-step program. Sorry for my terminal. You hear non-ideal, but okay, so we've got some print f. So we're just about to figure out what is getting printed out. These things, EBX, when you see this thunk box, and this is on the register BX. That's going to basically be access to like global variables of sorts. So rather than arguments to this or whatever, anything that's like an offset from edX is from kinda like the global strings in this thing. Actually sticking out of this thing was not stripped. I should take a look at the strings real quick. Not as interesting as I thought it would be, but that's okay. So I can see 2820292028220 e. So we can probably figure out which of these is going, where. It's going to use this format string intuitive print Fs. That'll probably be the puts. So let's see what the second argument is. >> Suppose print Fs. >> Okay, so here's a print f pushed on to the stack is this address, address EBX plus four seeds. So it's probably that 2029 I was just looking at Although this one looks very far away. So we're gonna push down on the sacrum. Oh, but this is no, these are close to each other. So for C four C O, beautiful. Okay, so the address where I can write 18 bytes is the first address that leaks. The next address that leaks is the address where I can write, how much can I write here? I can write another 16 bytes into local one C-H or one C. So I can't triggered the canary I see now, so this is going to print the address of one. See, this is going to print the address there. So these are the two places that I'm allowed to write. And then, Oh, sorry, I figured this out before, but I forgot that I'm back to recording. So if we look at this vulnerable function, and it's called three steps, there are three places where it's going to read input from me. The first input is going to write into global BSS space and it's going to, let me write 18 bytes there. The next address, the next read. So these are going to read, this is going to say like step two is to say step one. The next time it reads, it will let me write 16 bytes into LU goal one c. That will tell me the address of global and see, I think I maybe see where this is going. And then the third step is it's going to, let me write only four bytes into local 20. But then it's gonna beautifully, for whatever reason, load Local 20 into EAX, which it will then call. So it's going to execute at the address of whatever address I put in here. So for the third one, I think we want to put in, oh, let's think about this for a second. So, so if we've gotta write shell code and an 18 bytes, conceivably, I could get away with an 18 bytes shellcode. This is 1918 and probably will need something to go exactly right. Let's see the one that's in-home tools because those are normally pretty reliable. Do I need to set some sort of context now that looks like 32 bit. So there I've got 44 bytes. And we saw that we had 181634 bytes that we can write. And beyond that, we need to like it and we need to give it an address. So, so here's what we have. We have 18 bytes at address one, predictable. Then we can write 16 bytes at address two, also predictable, but far away or what but on the stack. And we do have an executable stack and we can write four bytes to go to another address. Okay, these are the parts we must assemble into our Apollo 13 engineering puzzle. I think there's one more thing I want to think out. So here I just wanted to see how long this was. And they said it's 44 bytes. Is there kind of shell that comes out of this thing? Conceivably, I could grab a shell off of somebody else's. That might be a little bit shorter. I think we're pretty lucky to get it fitted into 18 bytes. And I do it in two steps. It's called three steps for a reason. Okay, so the other thing I wanted to think out is like what's on the stack? So when I do this, call EAX and I'm down there and I'm writing my own code. What is going to be on the stack at that moment, like here, the stack pointer. Well, I could I could set a break point and just find out TB to see any rules. That's eight characters, 12 characters fired 18 character or 16 characters, and there's eight K 00. We skip right over sub2 >> Eight characters, invalid command. >> Wait a minute, wait a minute. >> Input factors. And the first one probably not. Probably not read the line. >> Got it, that's why I see. Oh, I should've only written, alright, restart. >> Oh, but knowing any rules, rules, rules, that's way too many. >> That's 16 characters, 1718. >> Okay. >> Art telling a story, right? 12. So do I only get 15? And then why did it o because it copies copies what I wrote in there twice. So I do get 123412 before followed immediately by **** you 1-2-3. So, so if I can get really slick, I could conceivably go longer. But, but the stack pointer at this time, when I do the call EAX, it, it is at 28. So the stack pointer is 28 before the base pointer. And I'm allowed to write into 24 bytes. Ended one, see 16 bytes and four bytes. I wrote into 20 also get cockpit 24. Okay, so that's important because now as I go to call EAX, what's going to happen? Well, if I needed to pass it. An argument >> So if I could figure out, so suppose I could find the address of a gadget. >> So I don't have predictable things break. I can, I can I do leak something? What is it? I'm leaking one leaking EBX plus four H. That's the address where I can write. Now why, why would they leak me my own local address? >> Whether we can knew my local address, I could, oh, hey, when that thunk box gets called, when that thunk box gets called, it sets bx to the stack pointer. That's weird, but what it printed on the screen did not look like two. If variables are like the two addresses it printed out did not look like they were anywhere near each other. >> In our same kinda go back far enough to see sample two addresses. I make an infinite loop. Here we go. Yeah, so one of them was like in object land, stack land. And the fact that those egg segments are consecutive means that could conceivably, I could conceivably calculate my way back into this area. Could I take advantage of that? >> So so o >> So two buffers to write to re yes, no. >> The addresses, both of them? >> Yes. >> And one of them was unlike that 5-6 a SEP that's probably in VSS stack address. That's executable. >> That's correct. So I had to executable writable chunks and I can control the flow to go to one of those two. And I was just playing mentally with the idea that if maybe I'm solving a two harder problem now, I think that the BSS chunk is consecutive with this code. So I might be able to even jump back into here and continue to write more too. If I could, I could, if I could like tweak the stack pointer that I could come back and continue writing more and more and more onto the stack flags, but it feels complexity. >> Yeah, yeah. And so so if you have one area of code, like say you right, like you're 18 bytes to wherever the 18 bites addresses. And then like you want to write your next whatever 15 bytes, like how do you connect those two pieces? Like if you actually just writing assembly, how would you connect those two pieces? >> So I could call it a second piece. >> So I can, I can write a call of the second piece into the first piece rapidly. >> What's a better way of like what is calling actually do owe? >> It does like a it's kind of a pop EIP. >> Yeah, I like it jumps to the other edge, pushes IC. So if you can just jump, if you just have a jump at the end of year one. So yeah, man, it would like act as if nothing changed. Now, the only issue here is that like the shellcode that they that bone tools gives us like 44 bytes, which is a little too long, right? Like if you were to just sit there and write your own exact V0 shellcode, I'm pretty sure you would come to like 27 bytes if you just sat there and like from, like I said, like I want to 0 out all the registers x2 finesse aged to the stack. And then if you just did that on your own, like you'd pray something like 27. It's like it's not like I don't know why there's as 44 bytes. I haven't thought a lot about it, but whenever I tried this problem, it wasn't difficult to get out there again. >> So so the thing I want to sum, I'm, I'm down with as I was thinking, the same thing, that I put my shellcode into parts and jump at the end or move from one to the other. I haven't written shellcode, it's time for us all to learn to write some shell code. Here. When it when it comes to this, right? Like here's a jump if equals, I don't know if I can find just a regular old jumping here. I suppose it's time to learn. Yeah, here's a jump, but even this jump, the jump value is kind of a negative value. You, it's like jumping back ten, right? Like so the jump is kinda relative to where I am, but this jump seems like it's reading from a register. So maybe I can do like a jump to like stack pointer plus 12. >> I mean, you can play when you're writing, when you're writing the code, you can loaded into a register. So like whatever that has gone and done too is like, oh, okay, and then jump, jump edX is likely to do. >> Yeah, now it's gonna take me, I guess it's going to cost me five bytes or so to load that register, write Re and then another, and then another two bytes to it. So we're going to lose seven bytes, which is fine. It's like I've got 11 plus 16, so okay, and that's the 27. So, so, so I have 27 bytes to squeeze my shellcode into. >> This was the problem like assembling something in the chat one time. Rows, like if you want to 0 out, like registers and you're trying to save memory, you can set E C x to 0 and then do them. I'm all instruction on ECS and that'll allow EAX and EBX rather really yeah. Cuz like I'm all dislike takes like it says I'm all on a single things is going to multiply that thing by itself. And so 0 times 0, and that's going to store that result. The, the lower bids in edX and a higher bits and EAX, and they're all zeros. So to zeros those registers, I don't know. That's like the coolest thing that is really cool. I feel like it's even cooler when urine to registers out. Only one. >> Yeah, absolutely. Absolutely. I didn't do that in my lecture on Wednesday when I was using ROP gadgets just above the Rob catch it I did use was one that did pop, pop ret on two of the registers I wanted. So I was like thinking about being like, oh, we could use this woman and undo like 64.6400 and just get it done with one gadget. But it's Cool School concepts. Okay. So >> And so now tools to create shell. >> Let's take a look at something now. >> Alright, so let's start our exploit now. >> Shell craft. So if I understand this right, I can write this in text and it will, and it will convert it into machine code for me, right? >> That's awesome, That's awesome. >> So I don't actually have to think too much, so alright, well let's try this out. >> X or EPIX, EBX. Oh, wait, this is, this doesn't use registers though, right silhouette clearing out EBX, cx, dy, dx, and 32-bit system calls uses the registers. >> So I've never done a system call on 32-bit it the same way as the same thing is actually, no, it's not the same as bourbon. >> So that's an 11 bite. >> That's an 11 bike called exactly the thing that costs you is writing been assayed to the stack. >> I'm not sure if you can just pass like I could probably pass that address right? >> Have egg shell craft exactly half equals SH myself because I think that religious It's almost there. >> That's 28, bad. We're one away from from set. >> And maybe when my family when we did the math jump. >> Is that correct? Yeah. So what would this be? Move what's a register? >> I don't care about ESP EBP, ESI move ESI 1818161816. >> And each of those I would be careful. The new line 32. >> Oh, yeah. That's I think the 16 didn't seem to care about the new line, but but fair. >> But 18 definitely did whatever. 17 plus 32 bytes. >> Yeah. Yeah. So 32 is our goal and I'm pretty sure we lose seven. So we've got 25 bytes exactly these kindness, I think it's wasteful, okay. Okay. >> I mean, just like looking at they pushed onto the stack. >> Yeah, that's true move. >> I think that saves, I think that saves for again, the null bites from happening. But what you can do is you can just do move OSB and AL. And then that prevents the novel. >> I'd say I'm, I'm, I'm hunting for because exactly E also has more arguments just like system minuss h catfish. That is pleasant. Sha shorter. I just wanted to see all the things a lot. Cisco. Alright. It's not path. >> Okay? >> So, so read this thing. >> I don't know why they got it. >> You literally just pushed whatever string they're creating unless it's like, oh, I see why they did that. >> Specifically, the the push where does push and pop to get sits exactly in the EAX, right? I have to do is just love, yeah, today's 0 everything out. >> And that's because the reason they did that is because they didn't want to allow EAX. >> So what you can do >> So like you can chain e-cigarettes, XOR, edX. Edx? >> Yeah. You IMO ECS and add zeros, both them out. >> And then where does the push and pop? >> You just replace that with move x b, move EAX L X B, and then that'll eliminate one instruction, right? >> Right, right, right, right. >> Okay. >> Alright. >> So and you're, and you're embracing like, I think the thing is if you move like they're, they're like trying to like get the null terminator been SH, and it's like if it's not null terminated, it's going to be like system receive this and was like, What the **** is that? >> Like, I don't have a problem with the like I see what they're trying to do. >> Like if it comes down to it, we might need to seek alternate shaken. So what does this push here doing? >> Which won the 60 guy? >> That's the first pilot essays. >> Ultimately the islands pry bin slash than. Oh, okay, yeah, the dome, four bytes at a time horizon poker reading is by a hand teach because that's exactly what they're doing. >> Illusionary question like it seems match, right? So which part did I want to kill? >> I wanted to kill x or edX. >> Edx. >> And you're destroying and I mol DCX, yes, which is and then and then instead of push exactly v0 and pop EAX citizen do loves EAX o, XB, new MOV, AL being do VM. >> It'll put a novel by shellcode. If like I get to use like only the register, like the only, only the amount of register that you're moving, like the only moving one by the data and like, Oh, I gotcha. I actually gotta be really careful like that one by seeing only used one byte of the registry, otherwise it's going to have no bites in anything. >> So you want to kill the push sis exactly a constant Israeli crazy way of doing this. Whatever answer into a more of a L xb, xb system. >> Call for comments here. Cilia assists exactly is 11, which is o XB. >> Got it? >> Here's our 27. Okay? >> So the last print this and see that there is at least one line. >> Okay, so I want to kill the last 16 bytes, maybe 15 bytes. >> We were a little bit nervous. >> So is 1816 is 34 were taken weight seven and that gives us 27. >> Do you think we've gotta like send this width that control D character comprises 2n line controlled. Ok, so I'm gonna copy this. Took me an hour dog. >> Ctf is tonight. >> And that was the CTF? >> Yeah, it would be good for us to do well at that. >> But it's their first, like it's their first worldwide. >> Ctf ends up lines >> Yeah. >> I mean, the CTF was good last year, so I'm sure they've got their stuff together. >> Yeah. Yeah. I mean, you know, speaking up by the way, are we are we also got to host RCT. >> Postpone that. Honestly, I think like one area one time of year that doesn't have enough CTS is the summer. >> How there's plenty like commerce, plaid, CTF, there's everything going on, right? Right. >> Yeah. I think you're right. You know, like we have a CTF, an area where people like, oh my god, there's this ETF right now. >> Thank God. >> Right? That's right. That's right. Yeah. >> Because during this time of year, it's like there's three every weekend. >> I can't possibly compete in all of them in the summer. It's like the next one is in three weeks back. >> I feel like that's that's an area we can yeah, good, good teams won the plan CTF than they make fun of us. >> But at least like, yes, that's right, like a perfect glue says the blue side, but at least they'll know who the blue enzyme that's exactly right. Reminds me that a pairs of the Caribbean quote, just like worst part or heard of, but you have heard of me. >> I didn't even see the exploit from it shouldn't be able to solve this problem like 15 minutes ago. >> But I don't I know I know exactly I'm doing wrong by can't figure out how to fix that. >> How do you is there a way to pronounce? >> I know a FBD prints out all local variables on the stack and that current value. >> Is there a way to print that in like just binary or like a different way, like what's the easiest way to just print out the value of a local variable. And that's on the stack in your function that you're in right now. >> And right here you see, I think SVD like doing say, local variable dealing like something like local ca, sharing like a register like right here. >> It's like very CH and I, this is like the most basic problem. >> I should do this like immediately. >> I know exactly how to do, but I keep doing it wrong. So I like to do is just do a buffer overflow and then set like it as a variable on the stack to certain value. And I did the overflow. But I think that whenever I do like a bunch of A's and unlike a number then gets is like doing some type of conversion on my number one. Unlike converting it in binary, like from, like either ascii or UTF-8 or something. >> Because the via that goes in the variables like 49 instead of one, you know how it's getting 49? >> Because that makes no sense to me. >> Because even when I like convert the number one, unlike any encoding back down in binary, it's like never. >> 49 >> How far are you fighting over the local? I only sending like one character with a local variable, exactly what you're trying to do now. So they're all int 32s. >> So I sent 24 is which over it all the other local variables all the way up until the one on the stack that I want to overwrite. And then I sent a single character, like just number one at the end of all of these, like AES. But then it's like sending it to 49 for some reason instead of like it'll at least like something that makes sense and you're not sending a new line by chance. >> I'm using Pune tools and I did not unless Sl2 sends a new line on Hold on. >> Okay. I got it. 40 not here. >> Say here sending one the character, right? Yeah, which I now wasn't going to work, but 49 still doesn't make sense to me. >> 49 as the ascii value of one. >> What I literally looked that up and I did not say that. >> I'm not now I'm actually quite like the decimal value of night. It sounds again like decimal, yeah. Okay. That makes way more Iran like an ascii to decimal. >> Can I have like a calculator? >> And it was wrong. Nom annoyed, but that's a stupid our tonight you seem to find ascii value either gets me like whatever ascii value one is. >> I'll just throw that in his work. >> Alright, we're just all ones or something like that. Okay, thanks. >> Oh, this won't work in Python. Three, I got one concern of mine, which is like, I don't know if this is breaking at the end of a nice part of the command, I think it is by coincidence, but I'm not entirely sure if this one is the beginning of the next command or in the middle of like an opcode. And I don't know that I have a great way to decide the answer to that question, but I think it's the only way it can work without having to go back to the drawing board again. >> When I wrote mine, I just wrote like like I wrote it in chunks. So I wrote like and then I just check to make sure it was less than 18. And I was like, that's good enough. >> And then I just wrote the next next ones. >> Yeah, I think like because I was looking for my shellcode, I can't find it. So I might have put this like before my VM GitHub existed hit, huh? >> Oh yeah. So it's going to write my jump and I got a little bit carried away with me. >> In Python three, the coop. >> Alright, I got it, thanks. >> Is it trim? >> Trim scare you? >> I know which character to get gigs like. >> Are you kidding me? >> I hate string. It says Dopey, Grumpy. Oh, and then I need, I think the address or was this right? >> When I did a jump like this, I feel it in my Indian, Indian this rate, you just give it whatever job until I don't know. Cuz cuz I've never like, even in all the weeks we've been doing this, I haven't come up with a good debug this moment system, which I need, I need to like level up right where I wanted to do debug stuff within GDB where I did the heap stuff? Yeah. Yeah. Well, I think I think I'll probably need some upgrades to my terminal year to to get foldy path and definitely few upgrades. But whatever I like to some extent, if you should be a consultant on the, to the terminal team to say like one, get rid of this too, like, alright, these things have got to work and whatever. But like I would love it if this terminal is everything, we want it to be rather just good enough because it's a secret weapon. >> We want to find the data's fare well, actually, I want to turn into like a whole company. >> So exploit that p11 three. >> If I did that the other day, and it like in Python three, just because it couldn't handle characters or I can't decode this asking, okay, oh, Well, so one thing that I like about this is I can write Assembly using tools. That's fun. >> One thing, since that was for the part one that you sort of run this ASM on it and made sure that disassembled into legible assembly when you like, broke it up into chunks? Yes. >> I agree. >> I was I was going to ask it out loud, but you're helping solve his problem, which is show me what the last instruction. >> Yeah, it does fix the problem. >> So so this looks fine to 45678910. >> It's just a little bit inconvenient. 123456789101112 plus seven is 19. But I can probably rearrange it right. >> Like that's 19, so okay. >> Okay. I can fix this. >> We got it. >> I got it. >> Okay. >> Nevermind. >> That doesn't thanks. But I was worried about OK, so here's what I think I can do. >> I think I can just rearrange this a little bit. >> So I'm gonna take the first five and then And then 34567891017, which is 0 indexed 16. >> Alright, that looks wrong. But if it's wrong, it's going to be because something dumb. Undoing So I got the first five right? And then I wanted to jump to 89. >> It's an off by one error. >> So I think this will still do the same thing, but after 11 bytes, it's a nice clean white. >> Isn't JMP are defined. I don't know if you evaluated that. >> Decide if I'm right or not, but I'm going to give it a try yes. Mm-hm. Mm. >> Okay. Yeah. I think I think a lot of time, but this is, this is the writing shellcode that we've always wanted to be practicing here. >> Yeah. >> Something. >> Yeah. >> Yeah, that's right. >> Well, Landon had some control codes have been around for a few minutes here, like in my actual terminal, I was trying to get toward compound tools. >> Now I cannot sign control goods like control share, how to send. >> Yeah, I've been trying to figure out to do and that's how I had to solve abuse control. >> A ends up being ascii one. >> But I don't know how to do that with current tools because I can't send control characters. >> You when I set like certain things to fall off, like it says in the documentation. >> I didn't know if you ever tried, but I think it's like I wanted to send certain ones and I just found a way around whatever issue I was having. I couldn't figure it out from the documentation either. >> Control characters correspond to some low ascii values that might be something like this, like the ascii, the control a like is an Ascii, it's like ascii, but I can't figure out a send that through tools like by default doesn't send the control code. >> And when I set the certain primary to false and it still doesn't work. >> Or I might play around, maybe I need to escape it correctly or something. I don't know. >> Why is it moving ESP to EBX? >> That's crazy. >> That's where the path is read from. >> Yeah, but we were like messing around with ESP in order to get bin SSH in there. So part of what I cut up was under the assumption that ESP wasn't going to be like messed around with. >> What do you mean? >> The move ESP to EBX way is often the first thing it's executing. >> Yeah. >> Yeah. >> Like I cut it up in a weird way in order to, to make ESP happen after, after you write the interface to, yeah, okay, alright, so that just means I cut it in the wrong place. >> So that's good. >> That's at least an error. >> I gotta, I gotta cut this short, but good luck. There's some shell code thing site. I now can like actually write raw assembly intern index 86. >> That's cool, you know, so alright. >> Thanks everybody.
Andy Novocin's Personal Meeting Room
From Andrew Novocin April 10, 2020
12 plays
12
0 comments
0
You unliked the media.