Tuesday, April 16, 2013

Travels from the prison of $ to the realm of # [PART 1]

Beginning Notes:  
1. A modest amount of core knowledge is assumed.
2. A read of "Smashing The Stack for Fun and Profit" by Aleph One would be recommeded.
3. Point '2' doesn't guarante anything and for further queries refer to point '1' or ask away under comments.

To get the # symbol at a console is a local exploit's dream. But in the current privelaged land of root, it is not uncommon to face challanges. Lets take a simple example: a setuid root binary, data read from a file and echoed onto the stdout. Lets make this a little easier: the binary is not stripped. Lets make this a little more easier: ASLR & Stack Cookies are disabled... for now. At the same time, it's a 64 bit system, NX is enabled [Hardware Enforced] & we don't have the code.

Enough talking, lets get our hands dirty...

A sample run:

$> ./test
usage: ./test file_name
$> echo "hello" > foo
$> ./test foo
Data Read: hello


looks good, the program takes a filename as input, reads the file and echos the file contents on stdout.

lets try to spice it up a bit, run the program with input incremented by 100 characters each time:
for the character stream generation, we shall use good ol' python.

$> python -c "print 'A'*100" > foo && ./test foo
Data Read: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... [OUTPUT TRUNCATED]
 
$> python -c "print 'A'*200" > foo && ./test foo
Data Read: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... 


$> python -c "print 'A'*300" > foo && ./test foo
Data Read: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...


Seems good till now, maybe the code isn't vulnerable, but that wouldn't be fun would it ;)
lets keep trying...

$> python -c "print 'A'*400" > foo && ./test foo
Data Read: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... [OUTPUT TRUNCATED]


$> python -c "print 'A'*500" > foo && ./test foo
Data Read: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... [OUTPUT TRUNCATED]

Maybe this is a lost cause, we might as well go and check our email...
"Patience my padawan learner"

$> python -c "print 'A'*600" > foo && ./test foo
Data Read: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... 

Segmentation Fault (core dumped)

bullseye! segfault, the buffer doesn't seem to be unlimited afterall.
Looking at all the attempts, we can easily say that the buffer lies between 500 to 600 bytes.

Lets fireup GDB for a bit of code and stack analysis.

$> gdb test
GNU gdb (GDB) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /home/sandman/test...(no debugging symbols found)...done.
(gdb) run foo
Starting program: /home/sandman/test foo
Data Read: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
Program received signal SIGSEGV, Segmentation fault.
0x00000000004007af in echo_me ()

Seems like the code segfaults in the function echo_me(), a little bit of disassembly required (thankfully the binary is not stripped)...

(gdb) disas echo_me
Dump of assembler code for function echo_me:
   0x00000000004006d4 <+0>:    push   %rbp
   0x00000000004006d5 <+1>:    mov    %rsp,%rbp
   0x00000000004006d8 <+4>:    sub    $0x240,%rsp
   0x00000000004006df <+11>:    mov    %rdi,-0x238(%rbp)
   0x00000000004006e6 <+18>:    mov    $0x4008ec,%edx
   0x00000000004006eb <+23>:    mov    -0x238(%rbp),%rax
   0x00000000004006f2 <+30>:    mov    %rdx,%rsi
   0x00000000004006f5 <+33>:    mov    %rax,%rdi
   0x00000000004006f8 <+36>:    callq  0x4005b0
   0x00000000004006fd <+41>:    mov    %rax,0x20053c(%rip)        # 0x600c40
   0x0000000000400704 <+48>:    mov    0x200535(%rip),%rax        # 0x600c40
   0x000000000040070b <+55>:    test   %rax,%rax
   0x000000000040070e <+58>:    jne    0x400724
   0x0000000000400710 <+60>:    mov    $0x4008ee,%edi
   0x0000000000400715 <+65>:    callq  0x400580
   0x000000000040071a <+70>:    mov    $0xffffffff,%edi
   0x000000000040071f <+75>:    callq  0x4005a0
   0x0000000000400724 <+80>:    mov    0x200515(%rip),%rax        # 0x600c40
   0x000000000040072b <+87>:    mov    $0x2,%edx
   0x0000000000400730 <+92>:    mov    $0x0,%esi
   0x0000000000400735 <+97>:    mov    %rax,%rdi
   0x0000000000400738 <+100>:    callq  0x400590
   0x000000000040073d <+105>:    mov    0x2004fc(%rip),%rax        # 0x600c40
   0x0000000000400744 <+112>:    mov    %rax,%rdi
   0x0000000000400747 <+115>:    callq  0x400570
   0x000000000040074c <+120>:    mov    %eax,-0x4(%rbp)
   0x000000000040074f <+123>:    mov    0x2004ea(%rip),%rax        # 0x600c40
   0x0000000000400756 <+130>:    mov    $0x0,%edx
   0x000000000040075b <+135>:    mov    $0x0,%esi
   0x0000000000400760 <+140>:    mov    %rax,%rdi
   0x0000000000400763 <+143>:    callq  0x400590
   0x0000000000400768 <+148>:    mov    0x2004d1(%rip),%rdx        # 0x600c40
   0x000000000040076f <+155>:    mov    -0x4(%rbp),%ecx
   0x0000000000400772 <+158>:    lea    -0x230(%rbp),%rax
   0x0000000000400779 <+165>:    mov    %ecx,%esi
   0x000000000040077b <+167>:    mov    %rax,%rdi
   0x000000000040077e <+170>:    callq  0x4005d0
   0x0000000000400783 <+175>:    mov    0x2004b6(%rip),%rax        # 0x600c40
   0x000000000040078a <+182>:    mov    %rax,%rdi
   0x000000000040078d <+185>:    callq  0x4005e0
   0x0000000000400792 <+190>:    mov    $0x4008fa,%eax
   0x0000000000400797 <+195>:    lea    -0x230(%rbp),%rdx
   0x000000000040079e <+202>:    mov    %rdx,%rsi
   0x00000000004007a1 <+205>:    mov    %rax,%rdi
   0x00000000004007a4 <+208>:    mov    $0x0,%eax
   0x00000000004007a9 <+213>:    callq  0x400560
   0x00000000004007ae <+218>:    leaveq
=> 0x00000000004007af <+219>:    retq  
End of assembler dump.
(gdb)


looking at the disassembly, its quite easy to get an idea of the code by a simple follow of the important @plt [procedure linkage table] calls...

function echo_me(){
    fopen(file)             | open the file
    fseek(till EOF)            --|
    ftell(file_des)                 |--> to calculate the length of the file
    fseek(till BOF)            --|   
    fgets(the string from the file)  | get the string from the file and store it in the buffer [the vulnerability lies here]
    fclose(file)                    | close the file
    printf(the string)          | print the string
}


looking at all this it is evident what the programmer has done. A buffer with a static size was defined, the file size was calculated and was read into the buffer. Finally, the buffer is displayed as the output.