Identifying another exploit mitigation and find bypass. stack0: part 2 - bin 0x22
Skills:
Network Security90%
Key Takeaways
Identifies and bypasses an exploit mitigation technique in a modern system
Full Transcript
you should now be familiar with stack level Zero from protostar and especially our quick look at what happens when you compile this code on a modern system specifically with the St cookies in this video I want to develop a working exploit for it and believe me there are a few mountains we have to overcome let's get everybody quickly on track we have a simple buffer overflow vulnerability originally the goal was to overflow into another variable to change the outcome of an if case but this is not possible anymore because the buffer is now placed after the variable not before so to execute the if case we want we could maybe overflow the return point on the stack and simply redirect the code execution there but an issue that we face is the St cookie which contains three random bytes that are checked before the function returns so in in order to overflow the return pointer we would have to guess the cookie this means we have to write an exploit which executes the target over and over again millions of times always guessing a that cookie and eventually we should get lucky but before we write that code let's first develop the exploit as if we know the cookie value this input really must be correct in order for it to work once we gets the correct cookie value so we have to debug this heavily let's start by opening the binary in GDB with pay extension which makes it look nicer and let's just enter a lot of characters in order to observe what happens oops stack smashing detected we obviously want to ignore that for now so let's set a breakpoint just before it would continue to stack check fail and then set EIP to where it would have jumped to if the cookie was correct with a simple commands directive we can automate this every time this break point is hit and then continue segmentation fault that's what we would expect awesome oh segmentation fault at the return not a stack fault because we redirected code execution to faulty memory look at the stack register ESP points to invalid memory so when the return instruction wants to look up the return point on the deck it tries to follow where ESP points to and that is obviously accessing invalid memory then Dam how did we override and modify the stack pointer let's look again at the disassembly down here just before the return so value referenced by the base pointer so value on the stack is moved into ECX and then EC xus Force calculated and that becomes the new stack pointer and when we look at the beginning of this function we can see that the stack pointer minus 4 is stored in ECX and pushed onto the St de so the stack pointer is also saved on the stack I think that's another mitigation attempt because before we are able to control the return pointer we first have to control the stack pointer at first this doesn't seem to be an issue because this just means we have to write a valid stack pointer and point it into the buff we control and then the return will take the return pointer we control and the buff our ESP points to when we win but the issue is this modern system also has now a aslr we can see that if we reenable aslr in the debugger and run it a few times observe the ESP value it's always different I admit it's not fully random but it's more bytes we would have to guess and to hit the cookie and the Val stack address is starting to look really bad let's say we would know the base memory of the stick would that help us there's even more here let's rerun the program again and this time let's see where ESP points to and compare it to where the STI actually starts in memory and when you do this a few times you can quickly see that ESP varies quite a lot from where the stti really starts in fact there's a huge gap with a random size of just zeros between the start of the stck we use in the code where ESP points to and the environment variables that are actually the beginning of the stack memory area I think this is another way to randomize values because aslr would only randomize the upper parts of an address and this way also the lower bites become unpredictable the game of exploitation has clearly changed there are more hurdles so does this mean now it's game over it's not exploitable anymore we can't do it with a single input overflow well there is a way but we have to get creative it's not as easy anymore okay so so we know there is a cookie on the stick and we believe it's brot forceable so let's assume we found the correct cookie how do we go from there we know that a valid deck pointer is stored after the cookie right the value of ESP was saved at the beginning and restored here at the end again which means we can abuse that we don't have to override the whole pointer what if it just corrupt the first spite so the lowest part of the address which means that the stack point pointer stays valid but suddenly points into slightly different stack memory and maybe we can make it slightly Point into the buffer we control which is just a bit lower than the stored ESP value here so then we restore this slightly off value return can now follow the address as it points into valid stack memory and take the address there to return into and if it points into our buffer now we can control where we want to return to and we could return into the if case that prints our goal we can achieve that by writing enough data to the buffer so that we fill up just short of the stored stack pointer and because strings end with a zero byte in C a null bite will be written to the lowest part of the stor E P value thus make it a bit smaller and when we are lucky it points into our buffer let's figure out the length so when we run it with the long input we see that ESP got overwritten with ssss one bite is four lower than the others thus became an O which was caused by the e xus 4 so this means we want to stop right before that and when we run it now we see that ESP ends now in FC so it worked because we predicted the lowest part in this deck is overwritten with zero and because of ECX - 4 so 0 - 4 we end up with FC but as you can see we didn't get lucky ESP points not into our buffer so let's rerun it a few times and do the same and at some point we will get lucky and now ESP points to our buffer and we now return we actually return into 404d 44d which is mmmm it worked actually the randomization of the zero padding on this deck makes this work because at some point the lowest randomized value of the address will be just right so that the zero is the right amount of change so ESP points into our buffer but you also see it's not 100% reliable we have to guess the cookie correct and then hope that the ESP randomization is also nice to us but that's fairly common so I hope that it's common enough to still make it feasible so now all that we have to do is put it together let's write a quick python script we import stru to convert the address to a 4 byte string the lampda help bar function for that and then we simply make our exploit string fill the buffer with mostly the add we want to return to and we hope we can make ESP point2 into this area and then comes the cookie value which we later have to write some brute forcing Logic for after that comes the four more bytes and that's it then we print it looks good you see the raw bites are output with hex dump so we write it to a fire and let's set a breakpoint at the cookie check to make sure that the cookie is in the right place and then we can use the file as input in GDB first breakpoint was the cookie check and we can see we all wrote the cookie with cook now when I press continue the other breakpoint from way before will hit and skip the cookie check and reach a return oh and look at that we got lucky with ESP and ESP actually points into our buffer when we now continue we return into the if case that prints the modified string and there it is amazing so the exploit theore ically works all that is left is the cookie brute forcing unfortunately that deserves its own episode again it's just programming but doing it you can learn a lot about Linux and I don't want to squeeze it in here again try to do that part yourself you could really learn a lot [Music]
Original Description
In part 2 we have a closer look at stack0 on a modern system. We are trying to plan an exploit that works in case we can guess the stack cookie. We have to be a bit creative here.
stack0: https://liveoverflow.com/binary_hacking/protostar/stack0.html
-=[ 🔴 Stuff I use ]=-
→ Microphone:* https://geni.us/ntg3b
→ Graphics tablet:* https://geni.us/wacom-intuos
→ Camera#1 for streaming:* https://geni.us/sony-camera
→ Lens for streaming:* https://geni.us/sony-lense
→ Connect Camera#1 to PC:* https://geni.us/cam-link
→ Keyboard:* https://geni.us/mech-keyboard
→ Old Microphone:* https://geni.us/mic-at2020usb
US Store Front:* https://www.amazon.com/shop/liveoverflow
-=[ ❤️ Support ]=-
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ 🐕 Social ]=-
→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
-=[ 📄 P.S. ]=-
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#BinaryExploitation #BufferOverflow
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from LiveOverflow · LiveOverflow · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
LiveOverflow - Trailer
LiveOverflow
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
Writing a simple Program in C
LiveOverflow
Writing a simple Program in Python - bin 0x03
LiveOverflow
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
A simple Format String exploit example - bin 0x11
LiveOverflow
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
The Heap: Once upon a free() - bin 0x17
LiveOverflow
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
TCP Protocol introduction - bin 0x1A
LiveOverflow
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
Linux signals and core dumps - bin 0x1C
LiveOverflow
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
How to learn hacking? ft. Rubber Ducky
LiveOverflow
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow
More on: Network Security
View skill →Related Reads
📰
📰
📰
📰
10 Cybersecurity Companies Serving Los Angeles Businesses
Medium · Cybersecurity
How Palo Alto App-ID Works (Beginner-Friendly Guide)
Medium · Cybersecurity
The Price of Professional Visibility on Personal Data Security
Dev.to · Mustafa ERBAY
Fool’s Mate (TryHackMe): I Checkmated the Bot, the Server Still Said No — So I Polluted Its…
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI