Oh my gosh. >> I did not record all of that because I was doing surveys and things like that and so on. So sorry, we're recording now. >> Alright, so we've got, I was just going to do this exploit. >> I did it last time, but it's going to do it a lot, lot slower. Thanks Jordan for, for speaking. And and here are some things that I did research on to find some stuff MG legacy. And here's how I did the research. >> So one you can do that. >> Give us this whole copy of Walmart there. So I can do rock gadget, binary, and Lib C. >> And this time I'm going to pipe it into just a file. >> So I'm just going to have a little text file or I've got all the results. I'm not having to go through this really long process every time I went to look something up. >> And now if I kind of look at that, I see stuff like this, which has handy little assembly that I could call to do various things scattered all over the place. >> And I don't even know what the command ADC does. I'll look it up later, but that's all in there. And now we can, we can grep through that. >> So I can say, hey, give me one that has pop RDI read in gadgets, and there's four of them. >> Great, cool. So and what this gadgets was doing is it it's finding the offsets inside of our Walmart G lib C for assembly. That just does cool stuff. >> And so what I did is I collected some things that, that I thought were cool. >> So one we needed to know where print f was. This is the offset of print F. >> And I was going to do, I was going to try to pull off. >> And by the way, if you want to feel like a total master, you should pick something that I'm not doing right. You should like trick the file into doing a print F, Hi there, or something like that, or printf been SH. And if you can get it to just show been SH on the screen rather than execute it, then you know that you're the boss of this thing. >> By the way, with printf, it leaks the address of printf, so you just use that. >> And, and so that one's actually pretty fast to do to, to demonstrate just how much, you know, postage you've got here. >> Actually, I had a question. >> Yeah, guinea pigs. >> Guinea pigs. >> Step on up and anybody can be a guinea pig any day, right? Like you feel like, you know, you're not represented but the people talking than than unmute yourself and talk from him. Last night he talked about getting how we gotta reverse shell on this program. What do you look when you're really hacking servers and that kind of thing, you get a shell on them by doing a reverse shell. >> What do you mean by that? >> When we're like on an executable like this compared to like getting onto a server. So an executable on the server are essentially the same thing, right? When when you think about what a server is, a computer running 24 hours a day, running an executable. So like this program here is like waiting for my input, but in a very meta level, so is this program bash, right? Like Bash is sitting here waiting for my input. >> When I type something, it process is my input and goes and executes some assembly. >> And this thing that I'm on is a shell that I SSH into, right? Like I can look down here. There's an IP address and a port, and I SSH and is rooted that port and IP address to do stuff on this computer, which will exist for an hour. So when I get a reverse shell through a binary, what it's really saying is that I'm here and I'm just typing stuff, you know, hi there, whatever. But I just found such a crazy like set of things to type that it instead gave me power to boss the entire machine around. Like complete arbitrary, you know, I am human type power. So typically in a, in a CTF, they're going to have the binary running on a port. What do you mean by that? >> When? >> I guess it's a little bit Webby, when you go to any URL like this URL here, it's going to resolve the URL into an IP address. >> It because that is just like a pathway to a file. >> So basically that's right. >> And so here it's giving me like a github.com. Here's an IP address. At that PIP address is going to look up what file I'm referring to. So it's going to look up bye bye User and de novo. And here's this like MD5 or whatever, some unique ID in order to get to this, like just and so then its servers are running a program that like fetches this file and shows it by serving up some HTML and injecting it with like the data that they've stored about this thing. So all servers and all URLs that you're interacting with, our zoom things are all servers and so on there. They're just programs running, waiting to services like a happy dog wanting to like fetch a stick. >> And so since it's happy dog wants to fetch our stick or whatever, we essentially are like throwing something and the dog gets confused and brings back keys to the neighbors, Mercedes. That's I don't know. >> So when a binary runs as a, in fact, I'll do this later in the class. We'll do like a CGI server where you take your code and you set it up as a service. If somebody can hit it at a URL and be interacting with your code. And, and, and what I'm saying is that everything you ever do on the internet, is that already ok? Then what's the I mean, I get that that's the binary is like the stuff that they called up the code part in the port is just what how your computer >> Yeah. >> Yeah. >> Ok. analyses. Right. Every computer sees itself as a server and so it can have many, many programs running on that particular device. Like all of you have a different port number on the same IP address. >> We're on the same computer right now, and your port number is going to be different. >> And that's the port number connecting to your exact like container. And so your container is running and Docker, which is a binary, and Docker is running bash. And so like I'm getting an experience is if I'm on a computer but I'm, I'm remote through a particular port number through a web terminal. Like there's like three or four or five layers of binaries here to get to the place where I can type ls and see a thing. And each of those is a true binary running. And it's just that the binaries we've been writing kind of have like a command line interface rather than a GUI, which is fine. And if you want to make a command line interface for a service than, than you can do that in almost every CTF problem we do has the binary that we're going to be exploiting and then the thing that's running. So for instance, on Friday, I think we're going to look at yesterday, we ended up looking at 0 days on Zoom Friday, we're going to look at some 0 days. >> And Chrome. >> Chrome was a binary that's running, it's running on a bunch of different people's computers. And like, can I send something through a site that triggers a vulnerability in Chrome, right? >> I think to some extent it's just the nature of how servers work. >> And that's why I hemmed and not a little bit because because we haven't really talked that out in this class that I'm clarified greatly. >> Thank you. Okay, cool. Thanks. >> So a reverse shell through the programme is basically just forcing it to do things they shouldn't did. It did. Actually, I showed you guys like the Super Mario Brothers, right? You guys remember me showing you saw Mario is getting Poland in this class at some point. >> Yeah. >> Yeah. >> So you know that it's like did crazy stuff and all of sudden they're doing arbitrary code execution in Super Mario Brothers. >> And that's all we're doing here on our members heart. >> Okay. Cool. >> Okay. Okay. >> So so where was I? >> Oh, yeah. >> So what I wanted to do is I had this like crazy one gadget. But what I really wanted to do this time is just instead of making print whatever, I want to force the program to do this code. >> All right, and, and this is like my choice to want to do that. >> And here are the pieces. I need to do this and you can do this along with me. So we've got the offset of our print, printf, they'll place and G lib c where the function exact V0 lives like as a utility. And then three register pop. So these were gadgets that I looked up that would go pop RDI red, pop RSI red, pop RDX red. And then finally the string been SH. >> So let's build a little thing together. >> And these are a sort of >> Python copy-paste double. >> So I'm going to copy and paste them into Python. >> All right, P equals process, baby boy, weak equals p. So the first thing it says this year's may leak, and I need to kinda look up my printf address. >> And I did this before, was leek split minus1 as sort of the last thing when it splits up by whitespace. And since it's a hex, i'm going to parse it into an integer base 16. Okay, so then here's all the stuff I just got from digest. Alright, so who can tell me where I can find the beginning of the G lib C. >> Now, not a person. >> Subtract print offset. >> There you go, thanks. So you've got to printf address minus the printf offset. >> So this is the beginning of G lib C. >> All right, who can tell me where the function exact V0 we live now it's base plus offset. >> That wasn't a hit. That was just the answer. Now I'm going to put this into a 64-bit form. >> And, and now I'm kinda like now this is a place where, where to wrap my head around this. >> What is it that I need to be doing here, right? Like what should my payload kind of roughly look like? I like to just of sketch this out. >> It's gotta be an offset. >> Alright? And from last time, we kinda noted that offset is 40 characters, then will be like the next address to execute. >> And then can be like data in the stack. And then I can keep on going. >> So if I want to run a bunch of these things, what am I going to have to do in order to call exactly E ofs to call exactly, well, it's a 64 bit binary. In a 64-bit binary, the arguments are put into RDI, RSI, RDX. >> So in this case, what I need to do is like set the value of each of those registers before I call my code. So I'm going to do, let's set the value of RSI. >> That one's kind of easy because I just want it to be 0 >> And so this little thing I've just Dodd is going to, is going to add putting the stack go to this address where it's just going to execute a pop RSI. >> When it does the Pappus, our RSI, it's going to be this value off of the stack and put it into the register RSI. And then it's going to go to the next address in the stack and execute that because it does a read write afterward. So now I can do pop p 64 base plus I'll do the other easy one. >> Rdx pop RDX plus p 0 plus p 64. >> And what's the last register any to set its RDI, the most important one. Now RDI is the first argument. And remember that this is sort of the thing I want to do. So now for the first argument, I need this string. And so I went hunting around to find where that string lives. And this is where it lives in lib C. >> So the address of that string will be base plus offset been SH. >> And now I've set all three of the registers I want. >> And finally can go to p 64 base plus exactly send that crazy payload. >> And then I can go interactive shell. >> Okay, that's like the whole final kind of answer. >> Guinea pigs at my spider sense, that was way too much, way too fast. >> So start, ask me some questions like try to start dissecting that for the sake of the crowd. >> So last class you didn't I don't think you found to be an SH offset. >> You find that in the same library that's included in this folder? >> Yeah, so here's how I found all those offsets. >> Maybe, maybe I'll save this. >> Save exploit dot P Y one through 11. >> There's a cool little thing. >> And I, ipython, What are all combined. >> If it were Python two, I'll just save it the old-fashioned way. >> Here's all the stuff I did quit. >> So here's how I found all those offsets. And kinda like how I had the mental model of what do I need to find, right? >> So, but the thing I want to do, the mental model I've got is this. And I know that in order to do that, I need to set I need In SH as a string, I need exec BE address as a function. >> I need three gadgets. Pop RDI, pop RSI, pop RDX, each followed by a read. So how do I find been SH as a string in there? Well, I can do this rate air has some nice like binary cutting tool. So I can go re-bin two minus z on lib C. And that's going to have a whole heck of a lot. >> But if I just look for sort of been SH, that'll give me the one place we've been, SH, like lives is a string. >> And that's that awesome. >> It's just like if you're using a lot of tools going on and I think what we're doing right now is really helpful just to identify what sorts of things your thinking. >> And then like, you know, okay, like I'm following what you need to find. Like what your which tools you're using to do which things is like yeah, yeah, okay, it's a justice. Justice, just ask how you pace and at a terminal end, and I think this depends on your machine. So I'm on a Mac and I can do Control-C, Control-V, and it works pretty well. But I think for Windows folks they can paste in with control shift v maybe, but they can't like copy back out. >> So, so that that sucks. >> And and and I noticed that like you were answered a lot of no's in the earlier stuff and it and it's probably because like it's just hard to like, get this terminal to work for you or whatever. So, so maybe I've got office hours later if you want to stop by and I can like individual Screenshare and helping make stuff work. >> That'll almost. >> But if there's somebody else in window is if you've been struggling with the copy-pasting, maybe you've got some advice here. Alright, Jared saying Control Shift V or control for, for paste controllers, shift c for copy. >> Okay? >> And, and I've seen some people who've had luck where they like grab something and they can do the right-click copy, right-click, paste. >> That, that's not true in the Mac, but on the windows, I think a right-click paste sometimes works too. >> A boon to on wind. Yikes. >> Okay. Yeah. Okay. It's the Ubuntu subsystem to the right-click paste. Oh, no, no. That's Steven started is different person. Yep. Yep. >> Okay. >> So what was I saying? So I needed been SH is a string. I needed exactly E has an address. So for the executable addresses, I did read L minus S. >> And there And I got that guy. Now I'll note one thing. The fact that my exploit worked is partially because I got really lucky that this copy of lib C is the same as the copy in my system lib C i, I could actually set it to like use the library that they provided in my bone tools. >> Because typically when they provide a libc library, it's because they want you to know the version that's being used on the server without having to figure it out. It's a kindness to the hackers, which normal people wouldn't do. You have to figure out for yourself. And there's some cool tricks for and like tools for figuring out which version of g lib C they're using. There's tools for lots of cool stuff That's I found my exactly E, What else do I need? I need and then the gadget. >> So, so you saw me do the ROP gadgets, dump that into a file, and and then I can just grep through the ROP gadgets for various things like this. >> And so I got my offsets from Mike there, there and there. >> So it I think it was maybe it would help you mentally if you could, like, let's, let's do the crazy thing. >> Let's, let's have it. >> Lets have it print f one. >> Let's see if there's other strings in here that we could like. >> I don't the string and Debbie asking for too much. >> There's some crazy strings in here like I could, I could, I could get it to print out an error message. >> I could get it to print out some ooh, ooh, here's like a whole alphabet hmm. >> If I admit it that says high k, maybe I'll, maybe I'll make it print that. >> So I'm just like screwed around here to say, hey, since while we're at it, I can make it print whatever I want, right? So, so here's not quite whatever I want, but this is the address of I don't know why that's in there, but that's in there. And so I'm going to make it print that. >> Just I don't know if you think there's value. >> Otherwise I can move on to the next exploit. Made it as dumb. >> What does that rabid and think re-bin is? It comes with the radar tool sets. And it's like a radar to binary analysis. And then there's different flags. So minus Z will give me like strings. Minus S will give me symbols and functions and weird things like that. But I can get it to print out this whole like copyright business. >> That's kinda fun. >> And so I was just looking around for leg strings that are in there that would be interesting to print out just to kind of demonstrate how much power we have here. So I was going to, well, there's the word machine, but whatever I had, I had a thing. So if I wanted to actually just I actually have the address of printf right here. >> So if I wanted to make it do kind of weird other stuff, I could make it do weird other stuff. >> And I need 40 a's. >> And then if I want to make it print f, a particular thing I need to do a pop RDI, they always say when you're, when you're public speaking, never to code live. >> And here I am coding like the weirdest thing in the world live, but so be it. >> So using IPython to send stuff to the executable or whatever, the c file. >> Yeah, and here I just wanted to like, you know, demonstrate that our model of what's happening is correct, right? >> So like I'm gonna pop that address purchases like hike into RDI and then, and then afterward just call printf and it did some wrong. >> Maybe I need to clear out the other things too. Yeah, I'm not going to debug it, but that's the idea. And you should like play around and say, Alright, now that opponent, let me make it do whatever it is not as satisfying as it was a perfect. >> Alright. >> Next up, I wanted to know, I wrestled with like, alright, how many, how, how much the stack smashing to do? And this one I thought was healthy for kind of getting your brain around the other version of, of a calling convention. So the 64-bit calling convention uses registers in this order. Argument one, argument two, argument three. Argument for the 32-bit calling convention uses the stack. So this other problem, zip line, which is in the folder five, leapfrog. This is a little bit crazier and let's take a look at it. >> But here's this whole beautiful right up. >> But I'm like whatever, we'll just take our time. So let's take a look at this, this problem. >> Ok? >> Alright, so this is five leap-frog. Alright, zip line. >> Let's run it. You ready for a ride on a zip line to ****. >> Oh, okay. >> Fine. Then Nozick line for me >> So we can check sec we can see there's no canary, no position. >> Independent executions is definitely stacks measure. It's also 32-bit machine, so this is kind of our 32-bit version. >> And I can do file on zip line. >> Alright, cool. >> Executable. And I can even do like, well I'll trace won't help, helping. >> You're actually but I can start to take a look at it. All right. >> And we're getting pretty good at this. At this point. >> We can jump in there and stuff. There's the thunk box. Ok, thank box. >> Just resets some registers so that I can have access to like global variables, set buff and not worried about that. >> There's a puts zip line. I got you. Okay. So I got you. >> Is definitely weird. Zip line is definitely weird. >> Let's go take a look right here. >> Zip line. Ok, well there's a gets, so my little heart skipped a beat. This is a stack smash. Who can tell me the offset just by like what I've got on screen here. >> So where is it that I'm going to be writing to gerald said local 4h. >> I actually disagree. It's not local forage. >> Here's the get's so-called 12 h. >> So we're going to be running into local 12 H. >> Local 12 h is how many bytes before the base pointer 1212 in hexadecimal and 12. >> And hexadecimal is actually 16 plus two rather than ten plus two, so it'll be 18. And if I'm 18 bytes before the base pointer, How long is the base pointer in? In a 32-bit machine? Yep, four, its right. So 18 plus four is 22. And that's how I know my offset. So my ofs, it's going to be 22 bytes because I'm going to write into this address, I'm gonna smash 18 of them and then four more to overload the base pointer. And now and into the place where I'm controlling where the ret will go to next. So I can start my whole process of chaining. >> Once I write 22 bytes, is the base pointer poorer? Because you just know that because this is EBP >> That's exactly right. It's an EVP rather than an RDP. If it was our, it will be four bytes cuz it's a 64 bit and 16, and it's 32 divided by eight. It's not just like just knowing, it's like 32-bits is how large each register is. And that means each register holds 32 divided by eight bytes. So there's four bytes and every character we type is one byte, so we have a 4-byte register. So we have to add four to the end of our, our sort of address where we're writing to. Yep, that's right. So so just saying to figure out the offset, we can just use the local line. Yeah. And I really I can I can really see it just from this. Once I see this and like whether it's an EBP or an RDP, I know the offset roughly. >> And so 18 plus four. Okay? So our offset is going to be 22. >> And that will let us control where the program goes next and all those things like that. >> Okay, great. >> We're we're we're feeling better and better about stack smashing. >> The 18 is o x one to the school X12 is hexadecimal, is equal to one times 16 plus two times one. >> Alright, good. >> Thanks for asking questions. Ok, now after it's done calling zip line, it goes to a function called, i got you. >> So let's take a look at what I got you has in it seek SIMD, I got you. >> And here's the crazy, I got you function. Alright, so if I take a look at this now, now I've been around the block a few times and, and so I can, I can recognize what's happening almost immediately. But it, but if this is your first time looking at this kinda crazy thing, here's what we see. We've got test comparison, jump, jump, jump, jump, jump, jump, jump, jump, jump. >> And if I pass all of the tests, then it's going to and open up a file and put that stuff out and whatever else. >> So this is definitely going to be a win function that's going to print a file that has like flag dot TXT. >> And now I can recognize that a mile away, this is a wind function, but it's a win function with some conditions. And that is I need base pointer plus, you know, ABCD EF. I need all of these addresses to like, have probably the value one in them. >> And great, OK. That feels weird, like maybe I can accomplish an arbitrary right and leak the address of EBX or something like that. Kinda get around all this stuff. >> But what I'm really getting out of this is that they need me. >> So CTF sense, there's a bunch of these like objects that they need me to go and mess with. So I gotta go mess with a bunch of objects before I call. >> I got you. >> So right now when we call I got you. >> It's going to skip over all the opening flagged stuff and just go to like, you know, quit basically. Okay. >> Can I ask a question about those move statements? >> Of the yeah. Oh, yes. Move statements. >> That's basically the frogs you need to leap? >> Yes. Yeah. And and maybe not actually would like. Yes. >> These are evidence that I landed on the various Lilly pads. So lily pad one lily pad to Lilypad three. Lily pad for this move is not actually like this is an address and sort of global memory that it's comparing this global memory byte against essentially isn't the value one. >> And you know, it's the value one because that's what test has. So test ALL is going to look at like the lowest order byte of EAX to see whether or not it's one. And if it's one or if it's like not one, then it's going to jump. >> Otherwise it's going to keep going. >> Okay, So that move statement is saying that whatever is in EBX, whatever the address in EBX is plus 41 bytes, it moves it into register edx. >> That's right. And, and, and by the way, this is something that it took me a little bit to wrap my head around. Whenever you see this like bite and square bracket or D word pointer or cue word or something like that. It makes it look unnecessarily complex. This is just the computers way of saying, Hey, this is a, this is like a read and a write. And you've just given me an address and I don't know how many bytes to write. So anytime there's ambiguity, it's going to then add this prefix that says 124 or eight bytes. So byte means it's going to write a single byte. I'm not sure what the two byte one is. It might be like D word or something. And then there's then there's D word pointer is four bytes, then Q word is eight bytes. So there's just like a little prefix here that says how many bytes to, to move from this address into that register. >> Okay? So all that's telling us is that we need to put one's wherever edX is going to be and then one at 41 plus that 4243, et cetera, right? >> We're going to read one byte from that spot and move it into the register EAX. >> And it needs to be one. >> It's one byte, there needs to be one comes from the combination of these two. >> We have the unjust saying our next goal is to put ones there. >> That's correct. That's correct. >> Where to find a bunch of ones and pointed out with edX, Well, we are now, now what I get from that is that with so many of those, I'm seeing a bunch of like light switches I need to go flip somewhere is when I start to see there. >> So I'm gonna go to Maine and I'm going to poke around just above it and see what's above zip line. >> So here's a function called bedrock and it is going to go to 48 and add a one. >> Like it's going to do that thing at that exact address as like, oh, snap. >> And it's going to do a memory comp. And if I don't pass this memory can comparison, it's going to fail on me. I don't know exactly what it's comparing, but it's going to be at EBX minus F1, F2, F3. >> Then there's another function called Minecraft nether. >> And it's the one that's going to set the one into EBX 047 and it's going to do a memory camp with some other thing. And my argument. So what's important here is that there's a function called bedrock and it's going to consume an argument, a 4-byte argument at EBP plus eight. And its going to compare that argument with whatever is in memory here, these four bytes, and decide whether or not to fail or let me keep going. And here's a function, whether it's going to do the same thing. >> And here's a function, ****, it's gonna do the same thing, limbo underground. And this is called zip line. >> And this like you're ready to take the zip line from ****. >> Water, air. >> Okay. >> And that's why I like forty one, forty two, forty three, forty four, et cetera, in hex in its sixty five, sixty six, sixty seven, etcetera. >> Alright. >> With me maybe Yep. I'll take that as a rounding. No, I'm going to look at that one other way when we're in, we're at time. So if you need to go, you gotta go. >> I'm going to look at this one other way, which is, let's do Robin to minus S on zip line. Okay? >> These are the various functions in there. And there's a function named air, water, land, underground, limbo, ****, Minecraft, nether bedrock, zip line. >> And I got you. >> And to some extent we need to call each of these functions before we call I. >> Got you. >> And we've gotta pass them each an argument that makes sense. All right, and let's see if we can figure out the arguments. So here's, I'm going to look at the strings in there. And this is very pleasant. >> Dumped them here. >> They're letting me know what strings I'm gonna do my comparison with. >> So this is going to go into a comparison of the argument and the word Claude and then water, land under limb, **** mine, Brock. >> So these are the arguments that I need to pass in to those eight functions in order to set all the right values in memory, in order for it to like open the locks of the window function. This isn't traditional pounding, although we can do traditional posting on there. If they give me a gets you just give me some time and I'll and I'll get you a shell. >> But these are the things that it's going to compare two and each of those functions. >> And also here's where I can find those strings in my binary. So here's an address where I can actually find the string land mini game. There's the string Land, here's the string water, here's the string Claude under limb, **** mind. And Brock hadn't you know, that the calling those functions like how do you know what they do exactly why that I saw that it added one to something. >> But yes, a singlet. >> One thing is that when I call file unzip wine back at the beginning, notice that ended with not stripped. >> So what that means is that they actually included the flags that have like source code lines in there for me. So now inside of my strings I actually get to see some source code and all of this anyway, I'm, I'm at time. We will will will solve this problem together on Friday if you want to do it on your own in the meantime, so that you're like totally prompt or whatever. Here's an entire write-up of this problem. >> And then, but the lesson I really want to learn from this is kinda how to two 32-bit calling conventions and how to kind of clean up after yourself when you're done. >> Thanks, everybody.
Andy Novocin's Personal Meeting Room
From Andrew Novocin April 08, 2020
41 plays
41
0 comments
0
You unliked the media.