Socket programming in python and Integer Overflow - bin 0x1B

LiveOverflow · Intermediate ·🛡️ AI Safety & Ethics ·9y ago

Key Takeaways

This video teaches socket programming in Python and solving network level 1 challenges with Integer Overflow

Full Transcript

these networking levels from protostar are not really security related but they are great to do some first simple Network programming and just for the sake of having a complete series from exploit exercises we will solve these challenges [Music] too the previous two videos were already a good introduction to networking sockets TCP and so let's build on this Foundation by writing a python script to interact with this program over the network especially for ctfs this is an important part because for many many challenges you interact with a service over TCP so the exploit you write has to do this over the network let's have a look at this level I won't go over the meaning of all these unknown functions because we have done so in episode hex one9 as we see in the defines or simply by checking netet on the VM we can see that net level one is running on Port 29 and8 again we could use netkat to talk to the servers but this time we want to write a python script but let's first have a look at the Run function first run generates a random unsigned integer and then we s printf the number into Fab fub we haven't seen s print F before so other than regular print F which writes a resulting string to STD out s printf will write the resulting string to the address specified in the first argument in this case buff this means fub will contain the decimal representation of the number in ASI and not contain the raw bite values then write will write to the socket that's sending us the integer number does the raw bites that's what we saw returned by netkit after that the program will wait for user input with f gets once we send some data it will override any new line or car return with nobite this makes sense because when we for example use netkat and hit enter to send something it will include a new line at the end because that's the key we pressed but obviously this program only wants the characters we actually meant to send thus stripping away the new line then it compares the original number with the number it received and either print success or fail so let's start to write our python script but how do we do that maybe a first hint on how to do Network programming could be to look at how netcat connects to a server so we can use S trce to trace all sour calls of netkat now let's try identify the important ones and then we try to figure out how to implement them in Python first one is obviously the call to socket so let's look into python socket documentation on how to do that in our script so the call to socket uses parameters pfet and sock stream and when we look here in the python doc we see something very similar except that it suggest to use AF inet so I wonder what's the difference between PF and AF inet so I Google and surprisingly it turns out that this is a remnant of an idea that never really took off and in fact in a Linux col it's now simply defined as being the same as AF inet huh learn something today and the python doc then uses connect to a host name or an IP and Port which we can see in the estray here it's called with Port 298 and the IP address 12701 so we can also just use that cool now we can use send and receive with the socket obviously we want to read the number that is sent to us so we use receive but we have to specify how much data we want to read in this case we expect an unsigned integer which is 32 bit large th we have to read four bytes now let's simply print the data we receive and then test it cool by the way also notice that when we request a new number very quickly that a lot of numbers are the same and not random that's because in the code the random number generator is seated by the time and seconds thus if we send fast enough the second will be the same and thus produce the same pseudo random number don't you ever use a non-random source or a seed for a pseudo random number generator if it's important and now it's easy to solve it because we are already very experienced with converting numbers to raw bytes and raw bytes to numbers from all the exploits with memory values that we have written so we can simply use the stru module and convert raw binary data back to an unsigned integer and then send it as a string back to the server remember that struct unpack returns a tupal so the actual unpack number is the first element hm it seems to hang let's try it again now it seems to work the receive hangs when it is waiting for data and doesn't get any so I assume the server sends too fast and there is no buffer buffering the data and when we are finally ready to receive data the data is already lost in the void anyhow it worked doesn't have to be perfect as long as you succeed once the attack was successful this episode is so short and these challenges are not really about security anyway so let's quickly solve the next one too net two is very similar we again have a network set up with a program listening on Port 2997 in the Run function we see a for Loop that runs four times and each time it generates a random number adds it to the sum of them all and sends it over the network the description also says that we have to add four 32-bit integers and it already warns us about the possib ability of it wrapping or in proper terms it warns us about an integer overflow which again is security relevant okay so let's copy our previous script and quickly modify to read four integers and then calculate the sum we can simply extend the struct unpack modifier and then we can also just create a sum over the resulting Tuple easy as that the code expects the result not in an asky decimal representation but as a raw binary so we can use struct pack to convert it to a binary string and then send it oh huh I wanted to show that this doesn't work because of the integer overflow if you have a look at the result of the sumon biner we can see that it contains more than 32 bits and that cannot be an integer is only 32 bit large so what happens is that the integer is simply overflowing or wrapping around this means the carry of the highest bit is just lost well it's not entirely true the CPU is actually aware of this when an Matic operation such as an addition ends up overflowing the value in a register a special overflow flag is set that could be checked but anyway in this case our unsent integer on the server always W around and apparently this old python struct version actually did that for us but this Behavior got deprecated so we can simply do the same in our code as I said the issue is called integer overflow and when you search for this you will find many back reports about it let's make a simple example of a typical integer overflow issue let's say you have a loop that keeps reading data and adds the size to an overall size variable once it's done with a loop it will know for how much data it has to allocate space for the issue is now if you manage to send so much data that the counter overflows wraps around a smaller space is allocated for the huge amounts of data and then you have a typical overflow condition we are slowly heading into the final levels of exploit exercises protar and we start to see a little bit more intricate challenges so let's stay focused and tackle the next [Music]

Original Description

Solving network level 1 with socket programming in python. protostar/net1: https://exploit.education/protostar/net-one/ -=[ 🔴 Stuff I use ]=- → Microphone:* https://geni.us/ntg3b → Graphics tablet:* https://geni.us/wacom-intuos → Camera#1 for streaming:* https://geni.us/sony-camera → Lens for streaming:* https://geni.us/sony-lense → Connect Camera#1 to PC:* https://geni.us/cam-link → Keyboard:* https://geni.us/mech-keyboard → Old Microphone:* https://geni.us/mic-at2020usb US Store Front:* https://www.amazon.com/shop/liveoverflow -=[ ❤️ Support ]=- → per Video: https://www.patreon.com/join/liveoverflow → per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join -=[ 🐕 Social ]=- → Twitter: https://twitter.com/LiveOverflow/ → Website: https://liveoverflow.com/ → Subreddit: https://www.reddit.com/r/LiveOverflow/ → Facebook: https://www.facebook.com/LiveOverflow/ -=[ 📄 P.S. ]=- All links with "*" are affiliate links. LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm. #NetworkSecurity
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from LiveOverflow · LiveOverflow · 54 of 60

1 LiveOverflow - Trailer
LiveOverflow - Trailer
LiveOverflow
2 Introduction to Linux - Installation and the Terminal - bin 0x01
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
3 Writing a simple Program in C
Writing a simple Program in C
LiveOverflow
4 Writing a simple Program in Python - bin 0x03
Writing a simple Program in Python - bin 0x03
LiveOverflow
5 Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
6 Reversing and Cracking first simple Program - bin 0x05
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
7 Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
8 ROP with a very small stack - 32C3CTF teufel (pwnable 200)
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
9 Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
10 Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
11 Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
12 Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
13 Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
14 First Stack Buffer Overflow to modify Variable - bin 0x0C
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
15 First Exploit! Buffer Overflow with Shellcode - bin 0x0E
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
16 Buffer Overflows can Redirect Program Execution - bin 0x0D
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
17 Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
18 Reverse engineering C programs (64bit vs 32bit) - bin 0x10
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
19 pwnable.kr - Levels: fd, collision, bof, flag
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
20 Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
21 Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
22 Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
23 Live Hacking - Internetwache CTF 2016 - web50, web60, web80
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
24 Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
25 A simple Format String exploit example - bin 0x11
A simple Format String exploit example - bin 0x11
LiveOverflow
26 NEW VIDEOS ARE COMING - loopback 0x00
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
27 HTML + CSS + JavaScript introduction - web 0x00
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
28 The HTTP Protocol: GET /test.html - web 0x01
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
29 Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
30 What is PHP and why is XSS so common there? - web 0x02
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
31 Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
32 Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
33 Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
34 XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
35 Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
36 New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
37 The Heap: what does malloc() do? - bin 0x14
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
38 The Heap: How to exploit a Heap Overflow - bin 0x15
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
39 Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
40 Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
41 Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
42 Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
43 Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
44 Explaining Dirty COW local root exploit - CVE-2016-5195
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
45 What is CTF? An introduction to security Capture The Flag competitions
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
46 The Heap: How do use-after-free exploits work? - bin 0x16
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
47 The Browser is a very Confused Deputy - web 0x05
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
48 The Heap: Once upon a free() - bin 0x17
The Heap: Once upon a free() - bin 0x17
LiveOverflow
49 Simple reversing challenge and gaming the system - BruCON CTF part 1
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
50 int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
51 The Heap: dlmalloc unlink() exploit - bin 0x18
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
52 MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
53 TCP Protocol introduction - bin 0x1A
TCP Protocol introduction - bin 0x1A
LiveOverflow
Socket programming in python and Integer Overflow - bin 0x1B
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
55 Linux signals and core dumps - bin 0x1C
Linux signals and core dumps - bin 0x1C
LiveOverflow
56 [Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
57 Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
58 Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
59 How to learn hacking? ft. Rubber Ducky
How to learn hacking? ft. Rubber Ducky
LiveOverflow
60 Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow

Related Reads

📰
Top 100 AI Security Interview Questions and Answers
Learn the top AI security interview questions and answers to boost your career in AI security
Medium · Machine Learning
📰
Top 100 AI Security Interview Questions and Answers
Learn the top AI security interview questions and answers to boost your career in AI security
Medium · Data Science
📰
Why AI Is Quietly Stealing Your Ability To Think
AI's convenience can erode critical thinking skills, making it essential to balance technology use with mental exercises
Medium · AI
📰
Why AI Is Quietly Stealing Your Ability To Think
AI is quietly stealing our ability to think by providing fast answers, making us reliant on technology and forgetful of critical thinking skills, which is crucial for professionals to be aware of and address
Medium · ChatGPT
Up next
Big Tech Is Turning Its Own Workers Into AI Training Data
AI Uncovered
Watch →