November 10, 2019

1358 words 7 mins read

xairy/easy-linux-pwn

xairy/easy-linux-pwn

A set of Linux binary exploitation tasks for beginners on various architectures

repo name xairy/easy-linux-pwn
repo link https://github.com/xairy/easy-linux-pwn
homepage
language Python
size (curr.) 44 kB
stars (curr.) 271
created 2019-04-07
license

Easy Linux PWN

This is a set of Linux binary exploitation tasks for beginners. Right now they are only oriented on stack buffer-overflows.

I’ve created these tasks to learn how to do simple binary exploitation on different architectures. For educational purposes while solving the tasks you have to follow a set of rules listed below. The tasks are made deliberately small and some of the rules are deliberately unrealistic. Contrary to most CTF challenges, in these tasks the solution is given to you, you just have to implement it.

Rules

  1. All tasks must be solved using the suggested approach even if there are other easier ways.

  2. All tasks must be solved with specific protections assumed to be enabled or disabled (even if the architecture, the toolchain or the environment doesn’t support it).

  3. All tasks assume a dynamically linked libc with a known binary.

  4. All ROP chains must be built manually.

Tasks

Suggested approaches

  1. 01-local-overflow: overflow buffer and overwrite x with the desired value.

  2. 02-overwrite-ret: overwrite any of the return addresses on stack with the address of not_called().

  3. 03-one-gadget: jump to a one_gadget address. Make sure to satisfy the required constaints if there are any. For some of the architectures this might require using a ROP chain, which technically makes “one_gadget” no longer “one”.

  4. 04-shellcode-static: allocate a shellcode on the stack that launches /bin/sh and jump to it. Assume that the shellcode address on the stack is known. No need to deal with cache coherency on ARM, MIPS and PowerPC.

  5. 05-shellcode-dynamic: same as the previous task, but here the stack address (and therefore the shellcode address on the stack) is unknown.

  6. 06-system-rop: compose a ROP chain to execute system("/bin/sh").

  7. 07-execve-rop: compose a ROP chain to execute execve("/bin/sh", NULL, NULL) via a syscall. Explicitly specify the second and third arguments.

  8. 08-overwrite-global: compose a ROP chain to overwrite x with the desired value and then jump to not_called().

Protections

Blank spaces mean the protection state is not relevant for the suggested approach.

Task Binary* Stack* Libc* Canary NX RELRO
01-local-overflow No
02-overwrite-ret Known Known No
03-one-gadget Known Known No
04-shellcode-static Known No No
05-shellcode-dynamic Known Known No No
06-system-rop Known Known No
07-execve-rop Known Known No
08-overwrite-global Known Known No

* - refers to the address of the binary, stack or libc. This allows to specify a more fine-grained control than traditional ASLR/PIE.

To disable ALSR:

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

To enable ASLR:

echo 2 | sudo tee /proc/sys/kernel/randomize_va_space

Solutions

These solutions are provided only for reference and are not portable (they contain hardcoded addresses and offsets and were only tested in a single environment).

Task x86 x86-64 arm arm64 mips mips64 ppc ppc64 sparc64
01-local-overflow + + + + + + + + +
02-overwrite-ret + + + + + + + + +
03-one-gadget + + +
04-shellcode-static + + + + + + + +
05-shellcode-dynamic + + + + + + +
06-system-rop + + + + + + + +
07-execve-rop + + + + + + + +
08-overwrite-global + + + + + + + +

Prerequisites

The tasks were tested on x86-64 CPU machine with Linux Mint 19.1 and the following software versions:

Software Version
GCC (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0
glibc (Ubuntu GLIBC 2.27-3ubuntu1) 2.27
QEMU 2.11.1(Debian 1:2.11+dfsg-1ubuntu7.12)
GDB (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git
pwntools 3.12.2
Ropper 1.11.13

Issues:

  1. qemu-ppc64 requires a newer QEMU (with this patch), so you’ll need to build QEMU from source. If the manually built QEMU doesn’t know where to look for dynamic libs, run export QEMU_LD_PREFIX=/etc/qemu-binfmt/ppc64/ before using pwntools.

  2. ropper has poor support for ppc and ppc64, so this patch is recommended to recognize more gadgets.

  3. ropper doesn’t recognize ppc64 binaries automatically and requires this patch (you may also explicitly provide --arch PPC64).

  4. pwntools doesn’t set arch name for GDB for sparc64 correctly and requires this patch.

  5. ropper (nor ROPgadget) doesn’t support sparc64 and requires this patch.

Setup

Install packages:

sudo apt-get install build-essential
sudo apt-get install gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu gcc-mips-linux-gnu gcc-mips64-linux-gnuabi64 gcc-powerpc-linux-gnu gcc-powerpc64-linux-gnu gcc-sparc64-linux-gnu
sudo apt-get install libc6-dev:i386 libc6-armhf-cross libc6-arm64-cross libc6-mips-cross libc6-mips64-cross libc6-powerpc-cross libc6-ppc64-cross libc6-sparc64-cross
sudo apt-get install qemu-user
sudo apt-get install gdb gdb-multiarch

# These are probably not required, but just in case:
# sudo apt-get install gcc-7-multilib gcc-multilib-arm-linux-gnueabi gcc-multilib-mips-linux-gnu gcc-multilib-mips64-linux-gnuabi64 gcc-multilib-powerpc-linux-gnu gcc-multilib-powerpc64-linux-gnu

Build the binaries:

./build.sh

Install pwntools and ropper (assuming that you have pip installed):

pip install --user pwntools ropper

Setup qemu-binfmt for QEMU and pwntools:

sudo mkdir /etc/qemu-binfmt
sudo ln -s /usr/arm-linux-gnueabihf/ /etc/qemu-binfmt/arm
sudo ln -s /usr/aarch64-linux-gnu /etc/qemu-binfmt/aarch64
sudo ln -s /usr/mips-linux-gnu/ /etc/qemu-binfmt/mips
sudo ln -s /usr/mips64-linux-gnuabi64/ /etc/qemu-binfmt/mips64
sudo ln -s /usr/powerpc-linux-gnu/ /etc/qemu-binfmt/ppc
sudo ln -s /usr/powerpc64-linux-gnu/ /etc/qemu-binfmt/ppc64
sudo ln -s /usr/sparc64-linux-gnu/ /etc/qemu-binfmt/sparc64

More

In case you want to run the binaries and QEMU manually:

gdbserver --no-disable-randomization localhost:1234 ./bin/x86/00-hello-pwn
gdbserver --no-disable-randomization localhost:1234 ./bin/x86-64/00-hello-pwn
qemu-arm -L /usr/arm-linux-gnueabihf/ -g 1234 ./bin/arm/00-hello-pwn
qemu-aarch64 -L /usr/aarch64-linux-gnu/ -g 1234 ./bin/arm64/00-hello-pwn
qemu-mips -L /usr/mips-linux-gnu/ -g 1234 ./bin/mips/00-hello-pwn
qemu-mips64 -L /usr/mips64-linux-gnuabi64/ -g 1234 ./bin/mips64/00-hello-pwn
qemu-ppc -L /usr/powerpc-linux-gnu/ -g 1234 ./bin/ppc/00-hello-pwn
qemu-ppc64 -L /usr/powerpc64-linux-gnu/ -g 1234 ./bin/ppc64/00-hello-pwn
qemu-sparc64 -L /usr/sparc64-linux-gnu/ -g 1234 ./bin/sparc64/00-hello-pwn
gdb -q -ex "set architecture i386" -ex "set solib-search-path /lib/i386-linux-gnu/" -ex "target remote localhost:1234" ./bin/x86/00-hello-pwn
gdb -q -ex "target remote localhost:1234" ./bin/x86-64/00-hello-pwn
gdb-multiarch -q -ex "set architecture arm" -ex "set solib-absolute-prefix /usr/arm-linux-gnueabihf/" -ex "target remote localhost:1234" ./bin/arm/00-hello-pwn
gdb-multiarch -q -ex "set architecture aarch64" -ex "set solib-absolute-prefix /usr/aarch64-linux-gnu/" -ex "target remote localhost:1234" ./bin/arm64/00-hello-pwn
gdb-multiarch -q -ex "set architecture mips" -ex "set solib-absolute-prefix /usr/mips-linux-gnu/" -ex "target remote localhost:1234" ./bin/mips/00-hello-pwn
gdb-multiarch -q -ex "set architecture mips64" -ex "set solib-absolute-prefix /usr/mips64-linux-gnuabi64/" -ex "target remote localhost:1234" ./bin/mips64/00-hello-pwn
gdb-multiarch -q -ex "set architecture powerpc:common" -ex "set solib-absolute-prefix /usr/powerpc-linux-gnu/" -ex "target remote localhost:1234" ./bin/ppc/00-hello-pwn
gdb-multiarch -q -ex "set architecture powerpc:common64" -ex "set solib-absolute-prefix /usr/powerpc64-linux-gnu/" -ex "target remote localhost:1234" ./bin/ppc64/00-hello-pwn
gdb-multiarch -q -ex "set architecture sparc:v9" -ex "set solib-absolute-prefix /usr/sparc64-linux-gnu/" -ex "target remote localhost:1234" ./bin/sparc64/00-hello-pwn

If you want to do full system emulation, you can do that either manually via qemu-system-* or via arm_now.

Materials

I’m not aiming to provide a thoroughly collected list of materials to learn binary exploitation here, so for the most part you should rely on your own ability to find them. I’ll still put here some links that I have found helpful.

Linux syscall tables

x86 and x86-64

Countless tutorials available online for these architectures.

arm

INTRODUCTION TO ARM ASSEMBLY BASICS [articles]

ARM shellcode and exploit development [slides]

arm64

ARM Architecture Reference Manual ARMv8, for ARMv8-A architecture profile [book]

Introduction to A64 Instruction Set [slides]

ROP-ing on Aarch64 - The CTF Style [article]

GoogleCTF - forced-puns [article]

mips

MIPS IV Instruction Set [book]

MIPS Calling Convention [article]

EXPLOITING BUFFER OVERFLOWS ON MIPS ARCHITECTURES [article]

Exploiting a MIPS Stack Overflow [article]

Notes:

  1. mips has branch delay slot.

mips64

MIPS64 Architecture For Programmers Volume II: The MIPS64 Instruction Set [book]

Linux MIPS ELF reverse engineering tips [article]

Notes:

  1. mips64 has branch delay slot.

  2. Functions expect to be called through $t9.

ppc

PowerPC User Instruction Set Architecture Book I Version 2.01 [book]

POWERPC FUNCTION CALLING CONVENTION [article]

Router Exploitation [slides]

CVE-2017-3881 Cisco Catalyst RCE Proof-Of-Concept [article]

How To Cook Cisco [article]

ppc64

PowerPC User Instruction Set Architecture Book I Version 2.01 [book]

64-bit PowerPC ELF Application Binary Interface Supplement 1.9 [article]

Deeply understand 64-bit PowerPC ELF ABI - Function Descriptors [article]

Notes:

  1. Functions expect a correct value of $r2 when called.

sparc

The SPARC Architecture Manual Version 8 [book]

Function Call and Return in SPARC combined with Sliding Register Windows [article]

When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC [paper]

Buffer Overflows On the SPARC Architecture [article]

sparc64

The SPARC Architecture Manual Version 9 [book]

SPARC V9 ABI Features [article]

Notes:

  1. sparc64 has branch delay slot.

  2. sparc64 has stack bias of 2047 bytes.

  3. sparc64 CPU used by QEMU has 8 register windows.

  4. Figure out why and when vulnerable() register window gets loaded from the stack, none of the linked ROP tutorials mention it :)

Someday

Some ideas for more tasks:

XX-dup2-rop, XX-aaw-rop, XX-format-string, XX-reverse-shell, XX-oneshot-write, XX-oneshot-syscall, XX-bruteforce-aslr, XX-bruteforce-canary, XX-overwrite-got, XX-partial-ret, XX-partial-got, XX-sleep-shellcode, XX-mprotect-shellcode, XX-nonull-shellcode, XX-alphanum-shellcode, XX-shellcode-encoder, XX-nop-sled, XX-ret-sled, XX-canary-master, XX-canary-leak, XX-magic-gadget, XX-stack-pivot, XX-egghunt

comments powered by Disqus