Easy Linux PWN
This is a set of Linux binary exploitation tasks for beginners. Right now they are only oriented on stack buffer-overflows.
I've created these tasks to learn how to do simple binary exploitation on different architectures. For educational purposes while solving the tasks you have to follow a set of rules listed below. The tasks are made deliberately small and some of the rules are deliberately unrealistic. Contrary to most CTF challenges, in these tasks the solution is given to you, you just have to implement it.
Rules
-
All tasks must be solved using the suggested approach even if there are other easier ways.
-
All tasks must be solved with specific protections assumed to be enabled or disabled (even if the architecture, the toolchain or the environment doesn't support it).
-
All tasks assume a dynamically linked libc with a known binary.
-
All ROP chains must be built manually.
Tasks
Suggested approaches
-
01-local-overflow: overflow
buffer
and overwritex
with the desired value. -
02-overwrite-ret: overwrite any of the return addresses on stack with the address of
not_called()
. -
03-one-gadget: jump to a one_gadget address. Make sure to satisfy the required constaints if there are any. For some of the architectures this might require using a ROP chain, which technically makes "one_gadget" no longer "one".
-
04-shellcode-static: allocate a shellcode on the stack that launches
/bin/sh
and jump to it. Assume that the shellcode address on the stack is known. No need to deal with cache coherency on ARM, MIPS and PowerPC. -
05-shellcode-dynamic: same as the previous task, but here the stack address (and therefore the shellcode address on the stack) is unknown.
-
06-system-rop: compose a ROP chain to execute
system("/bin/sh")
. -
07-execve-rop: compose a ROP chain to execute
execve("/bin/sh", NULL, NULL)
via a syscall. Explicitly specify the second and third arguments. -
08-overwrite-global: compose a ROP chain to overwrite
x
with the desired value and then jump tonot_called()
.
Protections
Blank spaces mean the protection state is not relevant for the suggested approach.
Task | Binary* | Stack* | Libc* | Canary | NX | RELRO |
---|---|---|---|---|---|---|
01-local-overflow | No | |||||
02-overwrite-ret | Known | Known | No | |||
03-one-gadget | Known | Known | No | |||
04-shellcode-static | Known | No | No | |||
05-shellcode-dynamic | Known | Known | No | No | ||
06-system-rop | Known | Known | No | |||
07-execve-rop | Known | Known | No | |||
08-overwrite-global | Known | Known | No |
* - refers to the address of the binary, stack or libc. This allows to specify a more fine-grained control than traditional ASLR/PIE.
To disable ALSR:
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
To enable ASLR:
echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
Solutions
These solutions are provided only for reference and are not portable (they contain hardcoded addresses and offsets and were only tested in a single environment).
Task | x86 | x86-64 | arm | arm64 | mips | mips64 | ppc | ppc64 | sparc64 |
---|---|---|---|---|---|---|---|---|---|
01-local-overflow | + | + | + | + | + | + | + | + | + |
02-overwrite-ret | + | + | + | + | + | + | + | + | + |
03-one-gadget | + | + | + | ||||||
04-shellcode-static | + | + | + | + | + | + | + | + | |
05-shellcode-dynamic | + | + | + | + | + | + | + | ||
06-system-rop | + | + | + | + | + | + | + | + | |
07-execve-rop | + | + | + | + | + | + | + | + | |
08-overwrite-global | + | + | + | + | + | + | + | + |
Prerequisites
The tasks were tested on x86-64 CPU machine with Linux Mint 19.1 and the following software versions:
Software | Version |
---|---|
GCC | (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0 |
glibc | (Ubuntu GLIBC 2.27-3ubuntu1) 2.27 |
QEMU | 2.11.1(Debian 1:2.11+dfsg-1ubuntu7.12) |
GDB | (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git |
pwntools | 3.12.2 |
Ropper | 1.11.13 |
Issues:
-
qemu-ppc64
requires a newer QEMU (with this patch), so you'll need to build QEMU from source. If the manually built QEMU doesn't know where to look for dynamic libs, runexport QEMU_LD_PREFIX=/etc/qemu-binfmt/ppc64/
before usingpwntools
. -
ropper
has poor support forppc
andppc64
, so this patch is recommended to recognize more gadgets. -
ropper
doesn't recognizeppc64
binaries automatically and requires this patch (you may also explicitly provide--arch PPC64
). -
pwntools
doesn't set arch name for GDB forsparc64
correctly and requires this patch. -
ropper
(norROPgadget
) doesn't supportsparc64
and requires this patch.
Setup
Install packages:
sudo apt-get install build-essential
sudo apt-get install gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu gcc-mips-linux-gnu gcc-mips64-linux-gnuabi64 gcc-powerpc-linux-gnu gcc-powerpc64-linux-gnu gcc-sparc64-linux-gnu
sudo apt-get install libc6-dev:i386 libc6-armhf-cross libc6-arm64-cross libc6-mips-cross libc6-mips64-cross libc6-powerpc-cross libc6-ppc64-cross libc6-sparc64-cross
sudo apt-get install qemu-user
sudo apt-get install gdb gdb-multiarch
# These are probably not required, but just in case:
# sudo apt-get install gcc-7-multilib gcc-multilib-arm-linux-gnueabi gcc-multilib-mips-linux-gnu gcc-multilib-mips64-linux-gnuabi64 gcc-multilib-powerpc-linux-gnu gcc-multilib-powerpc64-linux-gnu
Build the binaries:
./build.sh
Install pwntools and ropper (assuming that you have pip
installed):
pip install --user pwntools ropper
Setup qemu-binfmt
for QEMU and pwntools:
sudo mkdir /etc/qemu-binfmt
sudo ln -s /usr/arm-linux-gnueabihf/ /etc/qemu-binfmt/arm
sudo ln -s /usr/aarch64-linux-gnu /etc/qemu-binfmt/aarch64
sudo ln -s /usr/mips-linux-gnu/ /etc/qemu-binfmt/mips
sudo ln -s /usr/mips64-linux-gnuabi64/ /etc/qemu-binfmt/mips64
sudo ln -s /usr/powerpc-linux-gnu/ /etc/qemu-binfmt/ppc
sudo ln -s /usr/powerpc64-linux-gnu/ /etc/qemu-binfmt/ppc64
sudo ln -s /usr/sparc64-linux-gnu/ /etc/qemu-binfmt/sparc64
More
In case you want to run the binaries and QEMU manually:
gdbserver --no-disable-randomization localhost:1234 ./bin/x86/00-hello-pwn
gdbserver --no-disable-randomization localhost:1234 ./bin/x86-64/00-hello-pwn
qemu-arm -L /usr/arm-linux-gnueabihf/ -g 1234 ./bin/arm/00-hello-pwn
qemu-aarch64 -L /usr/aarch64-linux-gnu/ -g 1234 ./bin/arm64/00-hello-pwn
qemu-mips -L /usr/mips-linux-gnu/ -g 1234 ./bin/mips/00-hello-pwn
qemu-mips64 -L /usr/mips64-linux-gnuabi64/ -g 1234 ./bin/mips64/00-hello-pwn
qemu-ppc -L /usr/powerpc-linux-gnu/ -g 1234 ./bin/ppc/00-hello-pwn
qemu-ppc64 -L /usr/powerpc64-linux-gnu/ -g 1234 ./bin/ppc64/00-hello-pwn
qemu-sparc64 -L /usr/sparc64-linux-gnu/ -g 1234 ./bin/sparc64/00-hello-pwn
gdb -q -ex "set architecture i386" -ex "set solib-search-path /lib/i386-linux-gnu/" -ex "target remote localhost:1234" ./bin/x86/00-hello-pwn
gdb -q -ex "target remote localhost:1234" ./bin/x86-64/00-hello-pwn
gdb-multiarch -q -ex "set architecture arm" -ex "set solib-absolute-prefix /usr/arm-linux-gnueabihf/" -ex "target remote localhost:1234" ./bin/arm/00-hello-pwn
gdb-multiarch -q -ex "set architecture aarch64" -ex "set solib-absolute-prefix /usr/aarch64-linux-gnu/" -ex "target remote localhost:1234" ./bin/arm64/00-hello-pwn
gdb-multiarch -q -ex "set architecture mips" -ex "set solib-absolute-prefix /usr/mips-linux-gnu/" -ex "target remote localhost:1234" ./bin/mips/00-hello-pwn
gdb-multiarch -q -ex "set architecture mips64" -ex "set solib-absolute-prefix /usr/mips64-linux-gnuabi64/" -ex "target remote localhost:1234" ./bin/mips64/00-hello-pwn
gdb-multiarch -q -ex "set architecture powerpc:common" -ex "set solib-absolute-prefix /usr/powerpc-linux-gnu/" -ex "target remote localhost:1234" ./bin/ppc/00-hello-pwn
gdb-multiarch -q -ex "set architecture powerpc:common64" -ex "set solib-absolute-prefix /usr/powerpc64-linux-gnu/" -ex "target remote localhost:1234" ./bin/ppc64/00-hello-pwn
gdb-multiarch -q -ex "set architecture sparc:v9" -ex "set solib-absolute-prefix /usr/sparc64-linux-gnu/" -ex "target remote localhost:1234" ./bin/sparc64/00-hello-pwn
If you want to do full system emulation, you can do that either manually via qemu-system-*
or via arm_now.
Materials
I'm not aiming to provide a thoroughly collected list of materials to learn binary exploitation here, so for the most part you should rely on your own ability to find them. I'll still put here some links that I have found helpful.
x86 and x86-64
Countless tutorials available online for these architectures.
arm
INTRODUCTION TO ARM ASSEMBLY BASICS [articles]
ARM shellcode and exploit development [slides]
arm64
ARM Architecture Reference Manual ARMv8, for ARMv8-A architecture profile [book]
Introduction to A64 Instruction Set [slides]
ROP-ing on Aarch64 - The CTF Style [article]
GoogleCTF - forced-puns [article]
mips
MIPS IV Instruction Set [book]
MIPS Calling Convention [article]
EXPLOITING BUFFER OVERFLOWS ON MIPS ARCHITECTURES [article]
Exploiting a MIPS Stack Overflow [article]
Notes:
mips
has branch delay slot.
mips64
MIPS64 Architecture For Programmers Volume II: The MIPS64 Instruction Set [book]
Linux MIPS ELF reverse engineering tips [article]
Notes:
-
mips64
has branch delay slot. -
Functions expect to be called through
$t9
.
ppc
PowerPC User Instruction Set Architecture Book I Version 2.01 [book]
POWERPC FUNCTION CALLING CONVENTION [article]
Router Exploitation [slides]
CVE-2017-3881 Cisco Catalyst RCE Proof-Of-Concept [article]
How To Cook Cisco [article]
ppc64
PowerPC User Instruction Set Architecture Book I Version 2.01 [book]
64-bit PowerPC ELF Application Binary Interface Supplement 1.9 [article]
Deeply understand 64-bit PowerPC ELF ABI - Function Descriptors [article]
Notes:
- Functions expect a correct value of
$r2
when called.
sparc
The SPARC Architecture Manual Version 8 [book]
Function Call and Return in SPARC combined with Sliding Register Windows [article]
When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC [paper]
Buffer Overflows On the SPARC Architecture [article]
sparc64
The SPARC Architecture Manual Version 9 [book]
SPARC V9 ABI Features [article]
Notes:
-
sparc64
has branch delay slot. -
sparc64
has stack bias of 2047 bytes. -
sparc64
CPU used by QEMU has 8 register windows. -
Figure out why and when
vulnerable()
register window gets loaded from the stack, none of the linked ROP tutorials mention it :)
Someday
Some ideas for more tasks:
XX-dup2-rop, XX-aaw-rop, XX-format-string, XX-reverse-shell, XX-oneshot-write, XX-oneshot-syscall, XX-bruteforce-aslr, XX-bruteforce-canary, XX-overwrite-got, XX-partial-ret, XX-partial-got, XX-sleep-shellcode, XX-mprotect-shellcode, XX-nonull-shellcode, XX-alphanum-shellcode, XX-shellcode-encoder, XX-nop-sled, XX-ret-sled, XX-canary-master, XX-canary-leak, XX-magic-gadget, XX-stack-pivot, XX-egghunt