Don't like this style? Click here to change it! blue.css

Welcome .... Click here to logout

Today's Intellectual Goals:

Class 3: Intro to x86, anatomy of an exploit, crackmes, Radare2

OK, so we have been turning C into x86 and recognizing patterns.

The job today is to understand what really happens as a CPU runs a program and to learn the most important (basic) instructions and what they do.

Also I'm loving this Godbolt compiler explorer:

Semester-long Goal:

Exploiting programs that run x86

The framework

The general setup of a PWN problem is like this:

A vulnerable binary is running on a remote server on an exposed port.

On that server is intel we want to get (in CTFs it is a file named flag.txt or some hidden string formatted ninja{1337_sp34k_h3re})

Solving a PWN problem has these steps:

  1. Check how fortified the binary is (checksec --file=thebinary)
  2. Reverse Engineer the binary (Using your prefrence of Radare2, gdb, ida pro, cutter, etc.)
  3. Exploit the binary locally (using python pwntools and a fake flag)
  4. Adjust your exploit to the remote server (also pwntools)
  5. Profit

The goal is to cause the program to jump off the normal rails and execute forbidden code.

So steps 2 and 3 are the most interesting for us and while every problem is different the things we're looking for are basically this:

  1. Where in the flow of the program will you be corrupting the instruction pointer?
  2. If you need to know the address of some interesting target (say the location of an instruction that can open a shell), how will you learn that address? This is often tough because addresses are partially randomized on every execution of the binary.
  3. How will you drop malicious data into RAM? Getting a malicious address into just the right spot or corrupt a variable or whatever you need to accomplish the goal.

Essentially every exploit will answer those 3 parts throughout this course.

Early on, we will turn off the address randomization so you can ignore question 2, and for the first quarter of the class the answer to question 1 is simply, "at a ret instruction".

But I wanted to take the time to give you a framework that contextualizes everything else.

Radare2 and Debugging

OK so now let's introduce my favorite command-line reversing program:

Compile a simple C program and run r2 -Ad a.out then db main then dc then Vpp

Now you can navigate around using j and k, go into a command menu with : make a step with s or step over with S.

Let's look together at how registers work, how the instruction pointer moves, how the intruction addresses work, and see the above instructions in action.

You win when you can predict what will happen then see it happen.

First sets of "crackme"s

Find the flags: This GitHub Repo has crackme0x00a crackme0x00b and crackme0x01, solve them.

Here are some binaries from real CTFs of the recent past:

yopass CTF{sha256}

cat.elf ctf{sha256}


pwn_bazooka_bazooka CTF{sha256}