Skip to content

Instantly share code, notes, and snippets.

@trietptm
Forked from HockeyInJune/Exploitation
Created February 20, 2016 04:05
Show Gist options
  • Save trietptm/18567716fbee2067d1ad to your computer and use it in GitHub Desktop.
Save trietptm/18567716fbee2067d1ad to your computer and use it in GitHub Desktop.
Here are the tutorials we ran in #tutorials on IRC for CSAW CTF 2013.
04:28 -!- mode/#tutorials [+m] by HockeyInJune
04:28 <~HockeyInJune> Okay, we'll be starting again in a second.
04:29 <~HockeyInJune> Exploitation 1 is next at 19 votes.
04:29 <~HockeyInJune> Let's do that one.
04:29 <~HockeyInJune> You'll need IDA Demo and a Text Editor.
04:29 <~HockeyInJune> https://www.hex-rays.com/products/ida/support/download_demo.shtml
04:29 <~HockeyInJune> http://www.sublimetext.com/
04:31 <~HockeyInJune> Oh, isn't this a great song?
04:31 <~HockeyInJune> Alright, let's get started.
04:31 <~HockeyInJune> The times the are a-changin'
04:31 <~HockeyInJune> First, let's inspect the .c source file.
04:32 <~HockeyInJune> Obviously it's not the complete source file, but let's assume this the part of the code that's vulnerable.
04:32 <~HockeyInJune> The function is called handle, this could be important.
04:32 <~HockeyInJune> It takes a socket, probably already created.
04:33 <~HockeyInJune> First, we see a backdoor varible set to 0
04:33 <~HockeyInJune> That sounds important.
04:33 <~HockeyInJune> Then there's a character (byte) buffer that's 1016 bytes long.
04:33 <~HockeyInJune> The third line immediately clears that buffer out.
04:33 <~HockeyInJune> It overwrites all 1016 bytes with 0 or the null byte.
04:34 <~HockeyInJune> So, now we have 1016 0's on the stack.
04:34 <~HockeyInJune> Oh, and of course, all these local variables are automatically placed on the stack by the compiler.
04:34 <~HockeyInJune> And we'll verify this later in IDA>
04:35 <~HockeyInJune> Then the program send's the user a string about CSAW
04:35 <~HockeyInJune> That's line 8.
04:35 <~HockeyInJune> It sends it to newsock, which we can assume is the socket opened to the user
04:35 <~HockeyInJune> We can verify by connecting directly to the service.
04:36 <~HockeyInJune> Run "nc 128.238.66.212 31337" in your terminal
04:36 <~HockeyInJune> And you should see that string.
04:37 <~HockeyInJune> Then, we recieve 1020 bytes into that buffer on the stack.
04:37 <~HockeyInJune> But remember the buffer is only 1016 bytes long.
04:37 <~HockeyInJune> Then, we null terminate the buffer by putting the null character in the last place in the buffer.
04:38 <~HockeyInJune> That's line 10.
04:38 <~HockeyInJune> Then if backdoor is equal to anything but 0, the program reads a out the ./key file, copies it into the buffer, and then sends it back to the user.
04:39 <~HockeyInJune> That sounds like something we want.
04:39 <~HockeyInJune> We want the contents of that key file.
04:39 <~HockeyInJune> So, we need to set backdoor equal to something other than 0.
04:39 <~HockeyInJune> How can we do that?
04:39 <~HockeyInJune> Well, let's take a look at IDA>
04:39 <~HockeyInJune> Everyone open up the binary in IDA.
04:39 <~HockeyInJune> Just click okay to all the popups that pop up except the one about proximity mode.
04:40 <~HockeyInJune> So, now we're looking at main
04:41 <~HockeyInJune> If you remember from earlier, we know the name of the function we're looking for is handle, and we can search for it in the functions window.
04:41 <~HockeyInJune> But instead, let's look at main.
04:41 <~HockeyInJune> First there's some stack setup.
04:42 <~HockeyInJune> Then there's a short loop that fills in some stuff with nulls
04:42 <~HockeyInJune> No big dea
04:42 <~HockeyInJune> deal
04:42 <~HockeyInJune> Then our first function is getaddrinfo
04:43 <~HockeyInJune> That's important, because it sets up some variables to be used in our socket.
04:43 <~HockeyInJune> Here, we see we're using the IP 0.0.0.0 (an alias for all interfaces) and the port 31337.
04:43 <~HockeyInJune> All neatly outlined by IDA>
04:43 <~HockeyInJune> Thanks IDA!
04:44 <~HockeyInJune> If this call fails, we take the red branch (left) down to perror, which then quits the app.
04:44 <~HockeyInJune> Let's hope that doesn't happen.
04:45 <~HockeyInJune> Next, we have a call to socket with the structure we setup in getaddrinfo.
04:45 <~HockeyInJune> Same as last time, if it fails, we take the left branch, otherwise we take the right.
04:46 <~HockeyInJune> Then we have a call to setsockopt to make sure our socket is allowed to reuse the address.
04:46 <~HockeyInJune> Then we have a call to bind, which let's the operating system know we're want this address and port.
04:46 <~HockeyInJune> Finally, a call to listen to finally set the server up to accept connections.
04:47 <~HockeyInJune> Don't worry about the sigaction stuff, it's compllicated.
04:47 <~HockeyInJune> Then, accept is called, which blocks until a user connects.
04:48 <~HockeyInJune> Once connected, the server prints out a debug message to the shell, and then forks.
04:48 <~HockeyInJune> On the left branch after the fork we see our call to the handle function!
04:48 <~HockeyInJune> That's our child process which now contains our new socket, the connection to the user.
04:48 <~HockeyInJune> Let's go into handle and forget about everything else.
04:49 <~HockeyInJune> Here, we see instruction for instruction the same code at in the C file.
04:49 <~HockeyInJune> How nice!
04:49 <~HockeyInJune> But, now we're interested in the stack.
04:50 <~HockeyInJune> We can see IDA has identified the address being passed to recv (towards the end of the first basic block) as buf.
04:50 <~HockeyInJune> If we double click on buf, we'll en up inside the stack view!
04:50 <~HockeyInJune> That's how we know buf is on the stack
04:50 <~HockeyInJune> Thanks IDA!
04:50 <~HockeyInJune> buf is 0x404 on the stack
04:51 <~HockeyInJune> Use your developer calculator.
04:51 <~HockeyInJune> 404 is 1028 in decimal
04:51 <~HockeyInJune> That sounds close to that 1016 number we saw in the code.
04:51 <~HockeyInJune> Now scroll down in the source code.
04:52 <~HockeyInJune> var_C is located at 0xC
04:52 <~HockeyInJune> C is 12 in decimal
04:52 <~HockeyInJune> And 1028 - 12 = ?!?!?
04:52 <~HockeyInJune> omg
04:53 <~HockeyInJune> Press x on var_C to see the cross referrences.
04:53 <~HockeyInJune> There are two
04:53 <~HockeyInJune> The first one is a write, when 0 is assigned to it.
04:53 <~HockeyInJune> The second is a read when it's compared to 0
04:53 <~HockeyInJune> Click on that one.
04:54 <~HockeyInJune> This is our if statement that compares backdoor to 0.
04:54 <~HockeyInJune> If backdoor is 0, then we take the green path (right)
04:54 <~HockeyInJune> Otherwise, we take the red path (left), where the key is read out of the file and sent to the user.
04:54 <~HockeyInJune> Woooow
04:54 <~HockeyInJune> Wasn't that easy?
04:55 <~HockeyInJune> I think we're done.
04:55 <~HockeyInJune> My hands hurt;
04:55 -!- mode/#tutorials [-m] by HockeyInJune
03:27 -!- mode/#tutorials [+m] by HockeyInJune
03:27 <~HockeyInJune> Okay everyone, the channel is now moderated.
03:27 <~HockeyInJune> I'll be the only one talking.
03:27 <~HockeyInJune> To get started, you should run the ignore command that's in the topic, so you don't get bogged down with join and part messages.
03:28 <~HockeyInJune> That's /ignore #tutorials JOINS PARTS QUITS NICKS
03:28 <~HockeyInJune> We'll wait two minutes until 3:30 PM exactly.
03:29 -!- mode/#tutorials [+a ColdHeat] by HockeyInJune
03:29 <~HockeyInJune> Almost.
03:30 <~HockeyInJune> Okay, here we go.
03:30 <~HockeyInJune> Brandon Edwards - 100 Points
03:30 <~HockeyInJune> Solved by 333 teams.
03:30 <~HockeyInJune> https://www.google.com/search?&q=Brandon+Edwards
03:31 <~HockeyInJune> The first thing we do is notice that this category is unique to CSAW CTF.
03:31 <~HockeyInJune> Most other CTF competitions don't have Recon categories, so we might not know exactly what we're looking for.
03:31 <~HockeyInJune> However, we have a hint.
03:31 <~HockeyInJune> Hint for Recon: re·con·nais·sance /riˈkänəsəns,-zəns/ (n): military observation of a region to locate an enemy or ascertain strategic features.
03:32 <~HockeyInJune> So, we know we're trying to observe or locate or ascertain something abouth Brandon Edwards.
03:32 <~HockeyInJune> That doesn't sound so hard.
03:32 <~HockeyInJune> But first, let's take a short look at some old Recon challenges.
03:32 <~HockeyInJune> http://cissp.gr.oupi.es/2011/09/28/csaw-ctf-writeup-dino-dai-zovi-recon/
03:32 <~HockeyInJune> Dino Dai Zovi's recon from two years ago.
03:33 <~HockeyInJune> The flag was posted to a Twitter account that no one know he owned at the time.
03:33 <~HockeyInJune> You had to search Twitter for #csaw
03:33 <~HockeyInJune> That's interesting, so we know hackers like Twitter.
03:33 <~HockeyInJune> http://raidersec.blogspot.com/2012/09/csaw-ctf-quals-2012-recon-1-3-writeup.html
03:33 <~HockeyInJune> Here are some Recon challenges from last year.
03:34 <~HockeyInJune> Jordan's was flag was at http://key.psifertex.com.
03:35 <~HockeyInJune> An easy extrapolation once you found psifertex.com
03:36 <~HockeyInJune> Same thing for Jeff Jarmoc, except this time with a finger daemon.
03:36 <~HockeyInJune> My recon challenge last year was a comment on Reddit.
03:37 <~HockeyInJune> That pointed to my awesome porn site cockcab.com
03:37 <~HockeyInJune> http://www.reddit.com/r/netsec/comments/z8iaa/csaw_ctf_2012_registation_is_open_csaw_an/c6c0tcv
03:37 <~HockeyInJune> http://cockcab.com/
03:37 <~HockeyInJune> So, that's interesting hackers like Reddit also.
03:37 <~HockeyInJune> Twitter, Reddit, are we seeing a trend here yet?
03:38 <~HockeyInJune> Dan also had his last year's recon flag on Reddit.
03:38 <~HockeyInJune> http://www.reddit.com/r/netsec/comments/10kxoo/securitywatch_chats_with_dan_guido_ceo_of_trail/c6ecst4
03:38 <~HockeyInJune> Yoda's flag from last year, was in the IRC WHOIS information for the user yoda in #csaw.
03:38 <~HockeyInJune> http://eindbazen.net/2012/09/csaw-2012-recon/
03:39 <~HockeyInJune> jduck's Recon flag was in here http://qoop.org/priv/csaw/key/
03:40 <~HockeyInJune> Once you found his website, and checked robots.txt this was also fairly easy
03:40 <~HockeyInJune> Full writeup here
03:40 <~HockeyInJune> https://twitter.com/jduck/status/118129011577720833
03:40 <~HockeyInJune> Okay, so let's get back to Brandon!
03:40 <~HockeyInJune> Let's start here: https://www.google.com/search?q=Brandon+Edwards
03:40 <~HockeyInJune> Becuase that's the link that the challenge gave us.
03:41 <~HockeyInJune> All our results might be a little different, but I quickly see his Twitter handle, drraid and some black dude.
03:41 <~HockeyInJune> Brandon Edwards is president of The Tax Credit Company
03:41 <~HockeyInJune> Probably not the same Brandon
03:41 <~HockeyInJune> Braylon Jamel Edwards (born February 21, 1983) is an American football wide receiver
03:41 <~HockeyInJune> Probably not the same Brandon.
03:41 <~HockeyInJune> www.youtube.com/user/bddaawwgg‎
03:41 <~HockeyInJune> Probably not the same Brandon.
03:41 <~HockeyInJune> www.brandonsalad.com
03:41 <~HockeyInJune> lol maybe.
03:42 <~HockeyInJune> Let's see if Brandon has a bio on our judges page.
03:42 <~HockeyInJune> https://ctf.isis.poly.edu/judges/
03:42 <~HockeyInJune> He does.
03:42 <~HockeyInJune> co-founder of Exodus Intelligence
03:42 <~HockeyInJune> enjoys finding and exploiting software vulnerabilities
03:42 <~HockeyInJune> he is known for rapping about hacker related topics and the security industry
03:42 <~HockeyInJune> That's a lot of great information that we can start searching for.
03:43 <~HockeyInJune> However, at this point I'll add a hint.
03:43 <~HockeyInJune> We played some of Brandon's music over the past two days on CSAW.tv
03:43 <~HockeyInJune> Brandon won two pwnies for best hacker song, and regularly performs at security conferences.
03:43 <~HockeyInJune> So that might be useful as well.
03:44 <~HockeyInJune> So, now we found a lot of information, but what should we look at next?
03:44 <~HockeyInJune> Let's look for more orgnaizations that Brandon is assoicated with.
03:45 <~HockeyInJune> https://www.google.com/search?q=drraid
03:45 <~HockeyInJune> DEF CON® 18 Hacking Conference - Entertainment: drraid
03:45 <~HockeyInJune> www.defcon.org/html/defcon-18/drraid.html‎
03:45 <~HockeyInJune> drraid. SophSec Intrusion Labs. Playing: The Cyberpunk Gala
03:45 <~HockeyInJune> That's interesting.
03:45 <~HockeyInJune> int80 of dualcore vs Dr. RAID at Recon 2010
03:45 <~HockeyInJune> drraid also has a blog, but it looks like he took it down.
03:46 <~HockeyInJune> He has a last.fm artist page
03:46 <~HockeyInJune> And a twitpic account.
03:46 <~HockeyInJune> His name is also an acronym for Disaster Risk Reduction (DRR) aid
03:46 <~HockeyInJune> That might be important.
03:47 <~HockeyInJune> That's tthe end of our tutorial.
03:47 <~HockeyInJune> Just remember that the flag might not be immediately visible when you find it.
03:48 <~HockeyInJune> It might be hidden in comments, or on a different page, or in a different directory, or on a different subdomain.
03:48 <~HockeyInJune> Use last year's challenges as a guide and remember to do your recon well.
03:48 <~HockeyInJune> Thanks for listening, we'll do another tutorial at 4:30 PM.
03:48 -!- mode/#tutorials [-m] by HockeyInJune
01:22 <~HockeyInJune> Okay, let's do a tutorial for reversing 100
01:23 <~HockeyInJune> CSAW Reversing 2013 1 - 100 Points
01:23 -!- mode/#tutorials [+m] by HockeyInJune
01:23 <~HockeyInJune> CSAW Reversing 2013 1 - 100 Points
01:23 <~HockeyInJune> Solved by 629 teams.
01:23 <~HockeyInJune> csaw2013reversing1.exe
01:23 <~HockeyInJune> For this challenge, you'll need Immunity Debugger.
01:24 <~HockeyInJune> Download it here: http://www.immunityinc.com/products-immdbg.shtml
01:24 <~HockeyInJune> I don't have it installed, I gotta start up my VM, hold on.
01:25 <~HockeyInJune> You'll also need IDA Demo
01:25 <~HockeyInJune> So download that, but you should have it from yesterday.
01:26 <~HockeyInJune> So, open the binary in Immunity Debugger and in IDA Pro
01:27 <~HockeyInJune> In IDA Demo, we want addresses, so click Options -> General
01:28 <~HockeyInJune> And check the box that says Line Prefixes.
01:28 <~HockeyInJune> Then click ok and go back to the main function.
01:29 <~HockeyInJune> This is the important function, main, so we're going to copy the address, 00401000
01:29 <~HockeyInJune> Now, open up the binary in Immunity Debugger.
01:30 <~HockeyInJune> First, Immunity debugger break you in at ntdll
01:30 <~HockeyInJune> Press play, and you'll hit a second breakpoint at 004011FE which is in some code that was generated by msvs
01:31 <~HockeyInJune> You can see the jmp to tmainCRTStartup at 401203, that's closer to where we want to be but not exactly.
01:31 <~HockeyInJune> So, in the command bar at the bottom type "b 00401000"
01:31 <~HockeyInJune> That's the address from before that we pulled from IDA!
01:31 <~HockeyInJune> Now run again (the play button)
01:32 <~HockeyInJune> That's also F9
01:32 <~HockeyInJune> Now, you should be broken in at 00401000, at the beginnnig of main
01:32 <~HockeyInJune> We can see the call to IsDebuggerPresent
01:33 <~HockeyInJune> If this call returns true, we see that we take a short jmp to 0040101
01:33 <~HockeyInJune> Let's set a break point there.
01:33 <~HockeyInJune> Er
01:33 <~HockeyInJune> 0040101F
01:33 <~HockeyInJune> Set a breakpoint there.
01:34 <~HockeyInJune> You can see that it's not hilighted teal on the side of the disassembly.
01:34 <~HockeyInJune> Let's press play (run) again
01:34 <~HockeyInJune> Oh hey, that's cool, it returned true and hit our breakpoint because we are actually in a debugger!
01:36 <~HockeyInJune> Now, here's something interesting.
01:36 <~HockeyInJune> The next instruction after push esi
01:36 <~HockeyInJune> Is a mov esi, offset blah blah
01:37 <~HockeyInJune> That's a pointer that's being moved into esi and then we're doing some manipulation on it.
01:37 <~HockeyInJune> Let's Right click on the that pointer csaw2013.?flag@@3PADA
01:37 <~HockeyInJune> Click Follow in Dump and select immediate constant, which is the pointer.
01:38 <~HockeyInJune> Now, you should see the bottom left hand corner change, now you're inspecting that memory
01:38 <~HockeyInJune> If you're watching closely, this is the same text that would show up if you ran the program without a debugger.
01:39 <~HockeyInJune> The same text that is assigned to the text parameter of the MessageBoxA call right above the breakpoint we're currently at.
01:39 <~HockeyInJune> That's the branch that would be taken if we weren't in a debugger.
01:39 <~HockeyInJune> That's pretty cool, right?
01:40 <~HockeyInJune> Now, we're going to single-step through the rest of the program.
01:40 <~HockeyInJune> We're going to use the STEP OVER button (F8) or the one with the little red arrow pointing only down.
01:41 <~HockeyInJune> We're going to go through two loops, so expect to press it button a lot of times.
01:41 <~HockeyInJune> Once you're in the second loop, you'll start to see something interesting :)
01:41 <~HockeyInJune> In the first loop, we can watch EAX increment by one each time
01:42 <~HockeyInJune> eax is a pointer into this memory that we're inspecting in the bottom left hand corner.
01:42 <~HockeyInJune> This is actually an inlined strlen() call! How cool is that?
01:43 <~HockeyInJune> So, we're going to walk through this string until we find a null byte, then we'll subtract eax from the ecx, which is the beginning of that chunk of memory giving us the length.
01:44 <~HockeyInJune> At the end eax will point to the null byte, and ecx will point to 00408B20, the beginning of the string.
01:44 <~HockeyInJune> Let's single step until we reach the end of this loop, and stop at the beginning of the next loop.
01:46 <~HockeyInJune> Now, let's step through that second loop once.
01:46 <~HockeyInJune> Whoa, what happened, check out the memory window, it says flag.
01:46 <~HockeyInJune> That looks good.
01:46 <~HockeyInJune> Let's check out this loop real quick.
01:47 <~HockeyInJune> It's xoring a static value, 0xCCDDEEFF, with the pointer to that memory, 00408B20, * ECX * 4.
01:48 <~HockeyInJune> ecx is 0 during the first itiration, and 1 the second, so we're xoring 4 bytes at a time with that magic value.
01:49 <~HockeyInJune> Okay, I think that's enough hints.
01:49 -!- mode/#tutorials [-m] by HockeyInJune
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment