Class 9: Basic Buffer Overflow Exploits

So, this is the vanilla ice cream of PWNing. It's yummy, it's everywhere, if someone thinks PWN the first thing you look for is BOF (buffer over flow).

The concept is simple enough, the program let's you type in data, you type more than you should. The developer and/or compiler didn't stop you (many ways to do this).

So what is there to teach?

Mastery Task D: Reroute to a win function No-PIE

Things that need saying:

• mental models (applied calling conventions)
• debugging and how to examine your assumptions
• what exactly does PIE do
• what exactly does ASLR do?
• pwntools and identifying addresses and such

Things that need doing:

• Working some problems together
• Debugging some problems together
• Giving you a PCP that tests the skill
• Giving you access to hundres of BOF problems in the wild

Buffer Overflow Mastery Trail:

• Overwrite a local variable to win
• Overwrite the return instruction pointer to win
• Overwrite instruction pointer and add an argument
• Add shellcode and overwrite instruction pointer
• Use a pop+ret gadget to chain together several jumps
• Use a pop+ret gadget to pass arguments to a 64-bit win function
• Leak a canary and overwrite a return address AND canary
• Create a ROP-chain that effectively creates shellcode one instruction at a time
• Leak a glibc address, calculate the base address, and jump to a one-gadget
• Leak a glibc address, create a win function in your ROP-chain
• Use your buffer to loop back to main so you can gather more data and go again
• Discover a RWX segment and drop shellcode there and jump to it
• Create a loop so you can use the PLT to edit the GOT and craft your shell that way (autopwner)

Starter problem: nc thekidofarcrania.com 35235 comes from: https://ctflearn.com/challenge/1010 (source just below:)

Applied Calling Conventions

So we have the zero to hero challenge problem set.

Problem 2 from that set is called 2ret-to-win.

Here is is: bufover-2

Here is its source code:

Here is a burger-based rough representation of what is happening at the moment you will get to control the stack via overflow:

This burger-stack visualizer was made by a former PWN student of ours while she was wrestling with calling conventions: https://br1os.website/simple-stack-visualizer/

Let's talk this out, and I'll push/pop the stack according to the calling conventions.

What exactly should the payload look like to jump to a win function AND pass it arguments? Why do I think this question is important and interesting?

Alright let's start to PWN it together here's a starter script:

Debugging!

A good cyber professional is a good rapid troubleshooter.

We have to accumulate failures faster to win sooner.

Plug and pray is not how to pwn.

So what can we do?

The process is roughly like this:

• Every time a program runs it is given a process id, pid
• We can have two (or more) terminals interact with the process
• We will start the process using pwntools
• We will split our screens using tmux or something
• We will attach to the process using r2 (and soon gdb)
• We will set breakpoints carefully
• We will pass consciousness back and forth

For the pwntools starting you will see it gives us the pid already.

We will need to do some clever terminal multi-plexing. I'll use tmux for that.

Here is the tmux cheatsheet: https://tmuxcheatsheet.com/

To attach to a process you can use: r2 -Ad :pidhere (no colon that's just my variable convention, it's a number)