

GitHub - xairy/easy-linux-pwn: A set of Linux binary exploitation tasks for begi...
source link: https://github.com/xairy/easy-linux-pwn
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

README.md
Easy Linux PWN
This is a set of Linux binary exploitation tasks for beginners. Right now they are only oriented on stack buffer-overflows.
I've created these tasks to learn how to do simple binary exploitation on different architectures. For educational purposes while solving the tasks you have to follow a set of rules listed below. The tasks are made deliberately small and some of the rules are deliberately unrealistic. Contrary to most CTF challenges, in these tasks the solution is given to you, you just have to implement it.
Rules
-
All tasks must be solved using the suggested approach even if there are other easier ways.
-
All tasks must be solved with specific protections assumed to be enabled or disabled (even if the architecture, the toolchain or the environment doesn't support it).
-
All tasks assume a dynamically linked libc with a known binary.
-
All ROP chains must be built manually.
Tasks
Suggested approaches
-
01-local-overflow: overflow
buffer
and overwritex
with the desired value. -
02-overwrite-ret: overwrite any of the return addresses on stack with the address of
not_called()
. -
03-one-gadget: jump to a one_gadget address. Make sure to satisfy the required constaints if there are any. For some of the architectures this might require using a ROP chain, which technically makes "one_gadget" no longer "one".
-
04-shellcode-static: allocate a shellcode on the stack that launches
/bin/sh
and jump to it. Assume that the shellcode address on the stack is known. No need to deal with cache coherency on ARM, MIPS and PowerPC. -
05-shellcode-dynamic: same as the previous task, but here the stack address (and therefore the shellcode address on the stack) is unknown.
-
06-system-rop: compose a ROP chain to execute
system("/bin/sh")
. -
07-execve-rop: compose a ROP chain to execute
execve("/bin/sh", NULL, NULL)
via a syscall. Explicitly specify the second and third arguments. -
08-overwrite-global: compose a ROP chain to overwrite
x
with the desired value and then jump tonot_called()
.
Protections
Blank spaces mean the protection state is not relevant for the suggested approach.
Task Binary* Stack* Libc* Canary NX RELRO 01-local-overflow
No
02-overwrite-ret Known
Known No
03-one-gadget Known
Known No
Known
No No
05-shellcode-dynamic Known
Known No No
06-system-rop Known
Known No
07-execve-rop Known
Known No
08-overwrite-global Known
Known No
* - refers to the address of the binary, stack or libc. This allows to specify a more fine-grained control than traditional ASLR/PIE.
To disable ALSR:
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
To enable ASLR:
echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
Solutions
These solutions are provided only for reference and are not portable (they contain hardcoded addresses and offsets and were only tested in a single environment).
Task x86 x86-64 arm arm64 mips mips64 ppc ppc64 sparc64 01-local-overflow + + + + + + + + + 02-overwrite-ret + + + + + + + + + 03-one-gadget + +
04-shellcode-static + + + + + + + +
05-shellcode-dynamic + + + + + + +
08-overwrite-global + + + + + + + +
Prerequisites
The tasks were tested on x86-64 CPU machine with Linux Mint 19.1 and the following software versions:
Software Version GCC (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0 glibc (Ubuntu GLIBC 2.27-3ubuntu1) 2.27 QEMU 2.11.1(Debian 1:2.11+dfsg-1ubuntu7.12) GDB (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git pwntools 3.12.2 Ropper 1.11.13Issues:
-
qemu-ppc64
requires a newer QEMU (with this patch), so you'll need to build QEMU from source. If the manually built QEMU doesn't know where to look for dynamic libs, runexport QEMU_LD_PREFIX=/etc/qemu-binfmt/ppc64/
before usingpwntools
. -
ropper
has poor support forppc
andppc64
, so this patch is recommended to recognize more gadgets. -
ropper
doesn't recognizeppc64
binaries automatically and requires this patch (you may also explicitly provide--arch PPC64
). -
pwntools
doesn't set arch name for GDB forsparc64
correctly and requires this patch. -
ropper
(norROPgadget
) doesn't supportsparc64
and requires this patch.
Setup
Install packages:
sudo apt-get install build-essential sudo apt-get install gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu gcc-mips-linux-gnu gcc-mips64-linux-gnuabi64 gcc-powerpc-linux-gnu gcc-powerpc64-linux-gnu gcc-sparc64-linux-gnu sudo apt-get install libc6-dev:i386 libc6-armhf-cross libc6-arm64-cross libc6-mips-cross libc6-mips64-cross libc6-powerpc-cross libc6-ppc64-cross libc6-sparc64-cross sudo apt-get install qemu-user sudo apt-get install gdb gdb-multiarch # These are probably not required, but just in case: # sudo apt-get install gcc-7-multilib gcc-multilib-arm-linux-gnueabi gcc-multilib-mips-linux-gnu gcc-multilib-mips64-linux-gnuabi64 gcc-multilib-powerpc-linux-gnu gcc-multilib-powerpc64-linux-gnu
Build the binaries:
./build.sh
Install pwntools and ropper (assuming that you have pip
installed):
pip install --user pwntools ropper
Setup qemu-binfmt
for QEMU and pwntools:
sudo mkdir /etc/qemu-binfmt sudo ln -s /usr/arm-linux-gnueabihf/ /etc/qemu-binfmt/arm sudo ln -s /usr/aarch64-linux-gnu /etc/qemu-binfmt/aarch64 sudo ln -s /usr/mips-linux-gnu/ /etc/qemu-binfmt/mips sudo ln -s /usr/mips64-linux-gnuabi64/ /etc/qemu-binfmt/mips64 sudo ln -s /usr/powerpc-linux-gnu/ /etc/qemu-binfmt/ppc sudo ln -s /usr/powerpc64-linux-gnu/ /etc/qemu-binfmt/ppc64 sudo ln -s /usr/sparc64-linux-gnu/ /etc/qemu-binfmt/sparc64
More
In case you want to run the binaries and QEMU manually:
gdbserver --no-disable-randomization localhost:1234 ./bin/x86/00-hello-pwn gdbserver --no-disable-randomization localhost:1234 ./bin/x86-64/00-hello-pwn qemu-arm -L /usr/arm-linux-gnueabihf/ -g 1234 ./bin/arm/00-hello-pwn qemu-aarch64 -L /usr/aarch64-linux-gnu/ -g 1234 ./bin/arm64/00-hello-pwn qemu-mips -L /usr/mips-linux-gnu/ -g 1234 ./bin/mips/00-hello-pwn qemu-mips64 -L /usr/mips64-linux-gnuabi64/ -g 1234 ./bin/mips64/00-hello-pwn qemu-ppc -L /usr/powerpc-linux-gnu/ -g 1234 ./bin/ppc/00-hello-pwn qemu-ppc64 -L /usr/powerpc64-linux-gnu/ -g 1234 ./bin/ppc64/00-hello-pwn qemu-sparc64 -L /usr/sparc64-linux-gnu/ -g 1234 ./bin/sparc64/00-hello-pwn
gdb -q -ex "set architecture i386" -ex "set solib-search-path /lib/i386-linux-gnu/" -ex "target remote localhost:1234" ./bin/x86/00-hello-pwn gdb -q -ex "target remote localhost:1234" ./bin/x86-64/00-hello-pwn gdb-multiarch -q -ex "set architecture arm" -ex "set solib-absolute-prefix /usr/arm-linux-gnueabihf/" -ex "target remote localhost:1234" ./bin/arm/00-hello-pwn gdb-multiarch -q -ex "set architecture aarch64" -ex "set solib-absolute-prefix /usr/aarch64-linux-gnu/" -ex "target remote localhost:1234" ./bin/arm64/00-hello-pwn gdb-multiarch -q -ex "set architecture mips" -ex "set solib-absolute-prefix /usr/mips-linux-gnu/" -ex "target remote localhost:1234" ./bin/mips/00-hello-pwn gdb-multiarch -q -ex "set architecture mips64" -ex "set solib-absolute-prefix /usr/mips64-linux-gnuabi64/" -ex "target remote localhost:1234" ./bin/mips64/00-hello-pwn gdb-multiarch -q -ex "set architecture powerpc:common" -ex "set solib-absolute-prefix /usr/powerpc-linux-gnu/" -ex "target remote localhost:1234" ./bin/ppc/00-hello-pwn gdb-multiarch -q -ex "set architecture powerpc:common64" -ex "set solib-absolute-prefix /usr/powerpc64-linux-gnu/" -ex "target remote localhost:1234" ./bin/ppc64/00-hello-pwn gdb-multiarch -q -ex "set architecture sparc:v9" -ex "set solib-absolute-prefix /usr/sparc64-linux-gnu/" -ex "target remote localhost:1234" ./bin/sparc64/00-hello-pwn
If you want to do full system emulation, you can do that either manually via qemu-system-*
or via arm_now.
Materials
I'm not aiming to provide a thoroughly collected list of materials to learn binary exploitation here, so for the most part you should rely on your own ability to find them. I'll still put here some links that I have found helpful.
x86 and x86-64
Countless tutorials available online for these architectures.
arm
INTRODUCTION TO ARM ASSEMBLY BASICS [articles]
ARM shellcode and exploit development [slides]
arm64
ARM Architecture Reference Manual ARMv8, for ARMv8-A architecture profile [book]
Introduction to A64 Instruction Set [slides]
ROP-ing on Aarch64 - The CTF Style [article]
GoogleCTF - forced-puns [article]
mips
MIPS IV Instruction Set [book]
MIPS Calling Convention [article]
EXPLOITING BUFFER OVERFLOWS ON MIPS ARCHITECTURES [article]
Exploiting a MIPS Stack Overflow [article]
Notes:
mips
has branch delay slot.
mips64
MIPS64 Architecture For Programmers Volume II: The MIPS64 Instruction Set [book]
Linux MIPS ELF reverse engineering tips [article]
Notes:
-
mips64
has branch delay slot. -
Functions expect to be called through
$t9
.
ppc
PowerPC User Instruction Set Architecture Book I Version 2.01 [book]
POWERPC FUNCTION CALLING CONVENTION [article]
Router Exploitation [slides]
CVE-2017-3881 Cisco Catalyst RCE Proof-Of-Concept [article]
How To Cook Cisco [article]
ppc64
PowerPC User Instruction Set Architecture Book I Version 2.01 [book]
64-bit PowerPC ELF Application Binary Interface Supplement 1.9 [article]
Deeply understand 64-bit PowerPC ELF ABI - Function Descriptors [article]
Notes:
- Functions expect a correct value of
$r2
when called.
sparc
The SPARC Architecture Manual Version 8 [book]
Function Call and Return in SPARC combined with Sliding Register Windows [article]
When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC [paper]
Buffer Overflows On the SPARC Architecture [article]
sparc64
The SPARC Architecture Manual Version 9 [book]
SPARC V9 ABI Features [article]
Notes:
-
sparc64
has branch delay slot. -
sparc64
has stack bias of 2047 bytes. -
sparc64
CPU used by QEMU has 8 register windows. -
Figure out why and when
vulnerable()
register window gets loaded from the stack, none of the linked ROP tutorials mention it :)
Someday
Some ideas for more tasks:
XX-dup2-rop, XX-aaw-rop, XX-format-string, XX-reverse-shell, XX-oneshot-write, XX-oneshot-syscall, XX-bruteforce-aslr, XX-bruteforce-canary, XX-overwrite-got, XX-partial-ret, XX-partial-got, XX-sleep-shellcode, XX-mprotect-shellcode, XX-nonull-shellcode, XX-alphanum-shellcode, XX-shellcode-encoder, XX-nop-sled, XX-ret-sled, XX-canary-master, XX-canary-leak, XX-magic-gadget, XX-stack-pivot, XX-egghunt
Recommend
-
88
IDA EA A set of exploitation/reversing aids for IDA Features Context Viewer New context viewer for IDA, Features include: Recursive pointer derfereneces
-
116
tactical-exploitation "The Other Way to Pen-Test" -- HD Moore & Valsmith I've always been a big proponent of a tactical approach to penetration testing that does not focus on exploiting known softw...
-
79
str8outtaheap/heapwn: Linux Heap Exploitation Practice Skip to content...
-
141
README.md HITCON-Training For Linux binary Exploitation Environment Setup git clone https://github.com/scwuaptx/HITCON-Training.git ~/ cd HITCON-Training && chmo...
-
87
README.md Binary Exploitation Any Doubt...? Let's Discuss
-
140
README.md Linux Kernel Exploitation Some exploitation methods and techniques are outdated and don't work anymore on newer kernels. Pull requests are welcome. Books
-
49
Introduction This series covers a step-by-step walkthrough to develop a Linux kernel exploit from a CVE description. It starts with the patch analysis to understand the bug and trigger it from kernel land (par...
-
18
The Metasploitable virtual machine is an intentionally vulnerable image designed for testing security tools and demonstrating common vulnerabilities. Version 3 of this virtual machine is available in both Ubuntu and Windo...
-
10
A Journey Combining Web Hacking and Binary Exploitation in Real World! Hi, this blog post is just a short post to address the technique part in one of my Red Team cases last year. I believe it's worth sharing, so I re...
-
7
Easy Steps to Synchronize JIRA Calendar Tasks with the Blazor SchedulerDynamic tasks are vital when following the Scrum framework in devel...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK