Camp CTF 2015 - Bitterman

IppSec · Beginner ·🔐 Cybersecurity ·8y ago

Key Takeaways

The video demonstrates a return-to-libc attack on a 64-bit binary using tools like gdb, peeta, and pattern_create, while bypassing security features like ASLR, DEP, and PIE. It showcases the exploitation of a stack-based buffer overflow vulnerability in the Bitterman binary from Camp CTF 2015.

Full Transcript

hey guys what's going on this is if SEC and we're changing up a bit gonna exploit a single binary not a box that binary is called bitter man from camp CTF I decided to do this because I wanted to create a aslo bypass without brute forcing and unfortunately it's not possible in October believe me I tried for a while until four GP that guy that created calamity spoke up and was like yeah nothing's being printed to the screen so it's not possible so I decided to go around the web find different CTF problems and I came across this one which is really cool we'll get to see that aslr bypass without brute forcing and we'll also dig into a 64-bit binary exploit so I hope you guys enjoyed this video and we'll jump in so pre-warning before we do anything this stuff is difficult it's more difficult to talk while I'm doing it so I'm gonna say a lot of wrong things I'll try to put some links in the description to help answer any questions you may have so first things first is download bitter man a link will be in the description to do that and then you can run file against it and verify it is a 64-bit executable we can also you name a box and CES 1 a 64-bit box so we should be able to execute this binary we're going to do gdb on bitter man and we have the Peeta extension loaded so I can do check SEC and see that the only thing enabled is DEP which is n X this is going to make the stack read-only so we can't just drop shellcode and execute that means we have to do a return to Lib C type of tack the canary this put something in the register before user input and then checks it after user input and if it changes this DAC has been smashed fortifying replaces a bunch of vulnerable calls with their safe equivalent to help prevent buffer overflows PI this is position independent executable and that is a SLR essentially it's disabled in this binary which means all the memory locations in this binary will stay the same it doesn't mean the memory locations and the libraries that this binary uses will stay the same we'll see that Lib C changes every time this binary loads but will do something to a sis call in this binary to leak the address in Lib C to allow us to do a return to Lib C without brute-forcing railro not 100% sure what this is I think is read location read-only which makes the global offset table read-only so we can run the application now and it asks her name so we'll just say tip SEC and put the length of message will do 512 input text hello and it just says thanks and exits it's a very polite binary useless but at least is polite so now what try to do something more nefarious so what is her name let us do Python C and put nope not in put a print a times 500 we'll say her name is 500 days and it just exits politely and doesn't do anything so we're do if sec and lengthen message will do 512 again and throw the a is in this spot and now we get a seg fault and the interesting thing is in 64-bit binaries you don't get a street or IP overwrite all the registers if these were ease this would be 32-bit the e gets swapped with r and 64-bit but don't get to overwrite this right away we do see it is stuck on a return call so you look at the stack pointer which is RSP and this memory address looks like a valid 64-bit but it's appointed to all A's so if it tries to return here it's gonna have a bad time so we have to fix this return address to put actual code here which then will get put into our IP but in order to do that we have to know where the overflow occurs so let's do a pattern create 500 and if you want to know more about PETA just watch the October video that's where I go into installing it and we're gonna run this again if set 512 input text so now we do see our SP has a bunch of random data in it so we'll do x /x g or SP to print it get this offset and then do pattern offset and we see it's at 151 so we're going to throw 152 bytes into this and then we should get to the RSP overwrite so we can now begin with a skeleton exploit so V exploit PI and we're going to use pen tool so from pone import star context terminal equals T MUX new window and this is awesome it just will load gdb into a team ox window automatically and I could think blink from half the box for showing me that one this will be use later process and we will do G to be first so beat debug get a man and we will break on main so now when we run the script it's going to run bitter man in gdb in a new team box window then we have to set the context for environment which is Linux and the architecture is amd64 this helps parent tools know how to do some memory addressing and formatting the next thing we're going to do is do another comment in set context log level is equal to debug this just comes in handy if we ever get hung in certain spots so that's it for setting up the environment we will have to find two different things or three different things we need to find the put/call which is in the binary puts is going to write or strain to a place so then it can be outputted to the screen and that's where the buffer overflow happens and also where we can make it leak and address so let's do object dump dash D puts no better man and grep for puts so we actually want to addresses we want this the procedural link address the PLT because this is where the call exists in the binary and we also want the address of where it is and the global offset table so what we're going to do is have put call itself in the global offset table and what that will do is link the address of what put is located in the binary which changes every single time so we want to copy this whole thing into our exploit and hopefully this will make sense once you see it happen so P ot put this is the procedural link table I think yeah procedural linkage table it is what PLC stands for I hope 405 20 and we want the G ot put the global offset table and that's 0 X 600 C 50 and that one is right here so just one of those two lines the other thing we need is a pop RDI because in 64-bit applications you don't put arguments on the stack you put them in registers and the order is I believe o dir SI RDX RC x for four different arguments we only need to do one so we're going to use radar not on exploit on bitumen and we're going to do slash R for R op and then pop our di and then take the address so this is going to pop what's on the stack into r di and then return so pop r di is equal to that and we don't need these leading zeros so a payload is going to be up before we do that we need junk equals a times 152 I believe so our payload is equal to the junk then pop ODI then we want to put the argument which is the global offset table put and then what's calling that BLT put okay so that's the initial payload and we also want to grab all the output of the program so we'll just call this I'm not gonna worry about anything okay that was weird set paste okay so I want to do that so now I can do P dot what is it receive until name and then we will P dot send line hips ik and we want the next one to be P dot receive until message and then Pete send line 102 four then it wants P dot seve until text and P dot send line payload and then we will do a raw input to pause the program until we hit enter and if we don't do this and we're debugging it it won't print any of these SEC fault information and we can also do P and a active to see what happens after that so it's Python exploit opened up and we have an error so I forgot to put everything in 64-bit format P 64 64 64 all that's doing is converting these addresses to a 64-bit friendly format because this is what three bytes and it needs to be eight so see if that fixes it it does we broke on main because that's what we tell it to do so we'll continue and we get a segfault going back and it outputs some information so this is actually the memory address and we can verify it changes by just swapping these quickly so we don't have to keep going through G DB and P equals so all right again and we see different addresses so this is the leaked address of the put statement inside of Lipsy so we want to grab that so after we send the payload we will want to put leaked puts equals P receive and I think that was eight we want to get rid of any newline characters and no just it's not that and this should make ourselves much happier so I'll try this leaked puts at G Lib C we don't need this right now cuz I'm at Gd being up at a syntax error just clean that up and now we have a wonderful error that it's not doing correctly crap oh let's see let's turn debugging on and see what's going on or not that debug output there we go Python I don't see anything there let's just go interactive oh it sends the leak after thanks so we send payload B dot C until Thanks then that should work there we go that looks much better now we see every time we're running it we're leaking a different address so that's good that memory leak doesn't lead do us any good if we crash the program so the next thing to do is do another object dump on bitter man and we want to grep out call main so take the memory address of main go into our exploit script and we will put PLT main is equal to p 64 the address and we also have to go to the payload to put p LT main and that should do it so again if we caused the leak the program crashes the leak does is no good because the next time the program starts up then it's gonna randomize all locations again so and after we caused the leak we want to call main to put the program back in a working state so we can do another exploit based upon information we got from the previous leaked address so this is what this is going to test after the exploit we just threw the call main afterwards so let's run this again we got the memory leak and then it asks us for the length of our message so we have successfully called the program after causing the leak which means now we have to do the hard stuff and that is calculate where we are in Lib C to get all the other offsets we want to do the lib return to Lipsy attack so first off we have to locate where Lib C is and I'm just going to copy it in my directory to make it a bit easier to work with okay so we're gonna do read elf on Lib C and grep out puts and we want puts at G Lib C so we'll copy this address go in our exploit and we want to put our address so this will be Lib C put ok now let's just split the screen to make it easier read elf - s and now we want to do wipsy again and we want to grep out system so grab this memory address and we will put Lipsy sis okay now we also need the string slash Ben Sh because we call system and we want to call system with Ben SH so I'm gonna go back over here do strings - a - t X Lib C dot s o dot six and grep four slash bin slash SH and we get this string or this hex and we'll put Lib C SH is equal to so we have all the locations in Lib C so now we have to calculate the offset so if we do offset is equal to the leaked puts this the address we at leaked of where puts is located and we're going to subtract it against the Lib C p-- foot and that should get us the distance away we are from this address and that's going to be the same distance from every other address so now we can do I'm trying to think what to call this we'll just do system is equal to the offset plus web see sis and sh is equal to offset plus Lib C SH and let's put them in P 64 and completely unneeded but won't hurt anything I'm gonna copy the pop ODI down here as well so we know we have to use it okay now our payload is going to be the junk plus pop party I plus I want to say the sh+ system now if we do we just want to execute it again so we see what the first thing it asks us is so we know where to begin receive in sand lines and something screwed up ah what line is that 46 award is happening here oh we have to unpack this leaked puts is equal to you 64 leaked puts awesome okay so we want to begin at the message so P dot receive until message and let's see one two three four okay see if this works one would hope and it just hung so maybe it wasn't expecting message there so again leaked so let's enable debug and see what it's sending us that was gdb it's asking what's her name I think so we can try starting there and I just saw name there so let's try this now uh nope I don't know was expecting oh if it had saw name then we just want to send it the name so we already received that line and looking up here I think I forgot a zero musta been a copy and paste here because that was an odd number of bits so save this and we'll try I found exploit do LS and we have a shell so now is it if you could follow that you're amazing if not well we're about to get a little bit more confusing so let's exit here clear everything and we're gonna use parent tools to the max we can exit this one too so let's go back into our exploit and we're pretty much going to get rid of every address we did and let actually I'll just delete them I don't need them this stuff I don't need really we're just going to let pen tools magically find everything so we're going to start off by saying log dot status mapping binaries and we can say bitter man is equal to elf bitter man and we can do this because we have all the binaries including Lib C so Rob equals Rob man and Lib C equals elf lip CS o dot six okay and we're gonna change the name to be exploit to PI V just in case I want the old one I figured I would change the names so we've created bitter man rap and Lib C so we're gonna start by building a chain with rock dot search so this is magically going to find the rap chain of pop RDI then the next thing is we want to find the rap puts elcott puts is gonna create our next system call and we also want Rob call elf symbols main okay so this means pen tools is going to magically find all those addresses we did by hand and we can say log info stage one Rob chain and and we can pause the program there so we can see it and we have to do essentially the same thing down here so we want to keep that offset but we don't know what Lib seed output is digest aaliyan I don't need them anyways so this will be puts - web seed symbols puts and we want to change this to be Lib C dot address okay call that yeah because we called this Lipsy up here so we're changing the address of the Lib C we defined earlier to be at that offset so we're rebasing the Lipsy and then we can do Rob to is equal to R op Lib C it's part case-sensitive and then Rob - dot system next Lipsy search slash bin Sh we want plate and we don't have to get the system phone calls is gonna be smart enough that says hey you're trying to search for this system know this bin SH I'm gonna add system for you so a little bit of magic there and we'll do log info stage - Rob chain + Rob to dump okay so this payload is going to be junk + string drop two and this payload is going to be junk + string Rob so we'll see if I magically do this correctly the very first time and if I did it shows just how awesome parentals is for making this easy so python exploit - pi come on no logo has no object status okay I forget what that one was or just say and fell module has no attribute G ot what line is that 18 rupp dot puts Oh better man God's I normally call that elf as in the binary so here's a rap chain does this look familiar we got pop roadie I the address of the global offset table it puts the address it puts it's fixing our stack for us and then calling main and then again fixing our stack for something we didn't do and then the next chain we have the pop roadie I the location of been SH system and then fixing the stack and again it worked pretty much first time so that is that I hope you guys enjoyed this tutorial or video on this exploit hopefully it was relatively easy to follow I know it's not a straightforward thing and hopefully with a lot of binary exploits I get better at explaining this stuff and feel free to leave comments of questions and things like that and I'll do my best AS Roma so take care guys see you around

Original Description

00:00 - Introduction 01:20 - Using CheckSEC to explain the binary protections that can be applied. 02:45 - Running the binary to discover a segfault with long string of A's 04:10 - This is a 64 bit Binary so we overwrite RSP (Stack Pointer) not RIP (Instruction Pointer) 04:30 - Using Pattern Create to identify where we can overwrite RSP 05:15 - Using PwnTools to create a skeleton exploit 07:20 - Using objdump to dump the PLT (Procedural Link Address) and GOT (Global Offset Table) Address for PUTS so we can use ROP to write to the screen 09:00 - Using R2 (radare) to find the location to a pop rdi function 09:45 - Building the gadget chain to print the location of PUTS 12:20 - Packing the addresses in our exploit with p64(), then showing the leaked address 14:00 - Storing the leaked address as a variable so we can convert it to hex 15:50 - Memory address retrieved! It changes every time the program loads, so adding a ROP back to MAIN 18:50 - Looking for a SYSTEM() Address with ReadElf 19:00 - Using strings to find the location of "/bin/sh" within libc 19:55 - Using the leaked addresses to find where libc is loaded 24:50 - Fixing up some memory addresses then getting a shell! 25:10 - Using Pwntools to the max! Having it automate a lot of stuff. 25:50 - Mapping the ELF + LIBC within PwnTools 26:45 - Using PwnTools to build the ROP Chain to leak PUTS 28:15 - Using PwnTools to rebase LibC From our memory leak 29:00 - Using PwnTools to pull the SYSTEM and /bin/sh information from LibC 30:30 - Debugging some errors then getting a shell! Bitterman: https://github.com/ctfs/write-ups-2015/blob/master/camp-ctf-2015/pwn/bitterman-300/bitterman?raw=true Good Links. PLT/GOT explanation: https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html Great Writeup to similar CTF Challenge: https://blog.skullsecurity.org/2015/defcon-quals-r0pbaby-simple-64-bit-rop
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 8 of 60

1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

This video teaches how to exploit a stack-based buffer overflow vulnerability in a 64-bit binary using a return-to-libc attack, while bypassing security features like ASLR, DEP, and PIE. It demonstrates the use of tools like gdb, peeta, and pattern_create for binary analysis and exploitation.

Key Takeaways
  1. Download the Bitterman binary from Camp CTF 2015
  2. Run the binary in gdb to analyze its security features and vulnerabilities
  3. Use peeta to identify the stack canary, DEP, and PIE security features
  4. Leak the address of Lib C to allow for a return-to-libc attack
  5. Create a payload to overwrite the RSP and leak memory addresses
  6. Use pattern_create to generate a payload for the exploit
💡 The key to exploiting the Bitterman binary is to bypass the security features like ASLR, DEP, and PIE, and to use a return-to-libc attack to execute a system call.

Related Reads

📰
Vulnhub: Shenron-1 Walkthrough
Exploit a vulnerable Linux machine using credential exposure and kernel exploit to gain root access
Medium · Cybersecurity
📰
The Day I Realized Technology Is About People, Not Just Code
Technology is about people, not just code, and understanding this is crucial for success in the field
Medium · Cybersecurity
📰
🚀 I Built CODELIVLY — A Platform to Learn Cybersecurity Through Hands-On Practice
Learn how to build a hands-on cybersecurity learning platform like CODELIVLY and improve your skills in cybersecurity and platform development
Dev.to · Rocky
📰
The Silent Killer in Your Node.js APIs: Mass Assignment & How to Catch It Before Production
Protect your Node.js APIs from mass assignment vulnerabilities by going beyond ESLint and SonarQube checks
Medium · AI

Chapters (22)

Introduction
1:20 Using CheckSEC to explain the binary protections that can be applied.
2:45 Running the binary to discover a segfault with long string of A's
4:10 This is a 64 bit Binary so we overwrite RSP (Stack Pointer) not RIP (Instructi
4:30 Using Pattern Create to identify where we can overwrite RSP
5:15 Using PwnTools to create a skeleton exploit
7:20 Using objdump to dump the PLT (Procedural Link Address) and GOT (Global Offset
9:00 Using R2 (radare) to find the location to a pop rdi function
9:45 Building the gadget chain to print the location of PUTS
12:20 Packing the addresses in our exploit with p64(), then showing the leaked addre
14:00 Storing the leaked address as a variable so we can convert it to hex
15:50 Memory address retrieved! It changes every time the program loads, so adding
18:50 Looking for a SYSTEM() Address with ReadElf
19:00 Using strings to find the location of "/bin/sh" within libc
19:55 Using the leaked addresses to find where libc is loaded
24:50 Fixing up some memory addresses then getting a shell!
25:10 Using Pwntools to the max! Having it automate a lot of stuff.
25:50 Mapping the ELF + LIBC within PwnTools
26:45 Using PwnTools to build the ROP Chain to leak PUTS
28:15 Using PwnTools to rebase LibC From our memory leak
29:00 Using PwnTools to pull the SYSTEM and /bin/sh information from LibC
30:30 Debugging some errors then getting a shell!
Up next
Hacking used to be fun. Now it's crime rings. #insurtech #podcast #insurtechgeek
The InsurTech Geek Podcast
Watch →