5MMSSI-2011-2012-practical assessment-basics in exploitation

De Ensiwiki
Aller à : navigation, rechercher

Introduction

Rules

  • each GI student has to be with 1 Ensimag student
  • each MMIS with 1 GI or SIF
  • persons per group: 2 ; form your groups on TEIDE ; no bonus point will be granted if a group only has 1 student
  • practical assessment due on TEIDE

Fraud

We kindly remind your that Ensimag enforces strict rules regarding frauding (See charte d’utilisation du matériel informatique).

Teachers might use automatic fraud detection tools to observe suspect similarities between deliverables. Each proven fraud will entail that several groups will get a 0/20 mark at the practical assessment, without any 2nd session possibility. Teachers will not try to understand which group did copy and which one did not.

Recidivism will be punished in conformance to the student rules (règlement des études).

Requirement

  • follow VirtualBox instructions on VirtualBox-5MMSSI
  • Install Virtualbox hypervisor on your computer.
  • Download the Ensimag-5MMSSI-2011-2012-TP1_virtual_machine
  • Unzip it (eg: using 7-Zip)
  • Register the virtual machine in your hypervisor (import)
  • logon on the Windows XP virtual machine
    • credentials logon / password: TP exploitation.7z: user / user
    • TP exploitation.ova: user / (empty password)

Practical assessment paper

Fichier:5MMSSI-2011-2012-TP1-Basics in exploitation.pdf

Questions

In case you do experience some difficulty with the assessment, please ask your question here, and then also send it by email to Fabien and Karim.

Answered questions

  • How do we ask a question for that assessment?
    • Please write your question by copying and adapting the lines after the "Unanswered Section"
    • also please send an email to Karim and Fabien with the exact same text as the one you wrote on that page



  • Does VirtualBox only work on Linux OSes?
    • Virtual box acts as an hypervisor. It is implemented for major oses (Windows, Linux, Mac OS X)



  • On Mac OS X, VirtualBox throws an error when I try to open the [i]TP exploitation.vbox[/i].
    • With a text editor, open TP exploitation.vbox, locate the part:
 <SharedFolders>
       <SharedFolder name="Shared" hostPath="D:\Shared" writable="true" autoMount="true"/>
     </SharedFolders>

Then remove the line

<SharedFolder name="Shared" hostPath="D:\Shared" writable="true" autoMount="true"/>

Save the .vbox file Close your text editor Try again to open the vbox file




  • "Now we want to set a breakpoint.

Use Right click > Search for > All intermodular call > printf to a find ..." I am stucked here, the "All intermodular call" has no subsection and clicking on it then opens a new window in which it is nowhere referenced any printf! I have a window titled "Found intermodular calls" which is composed of a 3 columns array (Address, Disassembly, Destination), no menu and no reference to the printf function

    • In "destination", there is a list of the called functions regarding that format:

library.name, for printf it is msvcrt.printf (FYI, msvcrt stands for MicroSoft Visual C++ Runtime) Please check that ex0.exe is open and that the CPU view is positionned on the ex0 module ("module ex0" in the window title)

    • First go back to the ex0 module: View > Executable modules (ALT+E) and select ex0. Then it will go smoothly..

Here is what you should see:

5MMSSI-2011-2012-TP1-find printf.png




  • On nous demande de :

"Run the program (standalone, without the debugger attached) and play with it. Explain what is the purpose of that executable." Mais la fenetre s'affiche et on a aucune interaction possible avec le programme. Est ce normal ?

    • Il semble d'après les questions suivantes que ce ne soit qu'un serveur de réception. (On lui envoie des messages via sendString.py)
    • Yes, service server, waiting for INBOUND TCP connections (because of the SOCK_STREAM in the client python script)



  • where is ex1.exe?
    • Understand ex1/server.exe



  • Q6 (a) Launched server in debug and triggered overflow with script. Server.exe does throw an exception but CPU main view does not show the instruction (assembly window is empty) ... anyone with the same pb?
    • The cpu view is not empty if you send a message of exactly 256 char (Don't forget the last automatic char). Actually, the window flushes at the 262th visible char.
    • This means that no overflow was triggered. First of all, without any debugger attached, you would have to crash the ex1/server.exe:
5MMSSI-2011-2012-TP1-ex1-overflow.png

As suggested by above, you have to send a sufficiently long message to trigger it.

  • That's what I did. I've sent a 1024 bytes-long buffer which cause server.exe to crash but CPU view is empty as shown on the following picture (apologies for the poor quality).
ISS2011wecxstea1.png
  • EDIT As strange as it sounds, it works with 256 bytes-long buffers... thanks Nicolas.



  • There is no "JMP ESP" in kernel32.dll. I used one in RPCRT4.dll (at address 77E655FA).
    • "Find a jmp esp" c'est générique, il y avait 2 possibilités pour passer cette question :
      • Penser à regarder dans les autre modules comme tu as fais
      • Penser a trouver l'équivalent de jmp esp: call esp, par exemple

Pour ceux qui sont restés bloqué ici, voici une liste d'adresses utilisables :

      • Found jmp esp at 0x77E1BB17 [advapi32.dll]
      • Found jmp esp at 0x77E1C3F3 [advapi32.dll]
      • Found jmp esp at 0x77E1F2C8 [advapi32.dll]
      • Found jmp esp at 0x77E32096 [advapi32.dll]
      • Found jmp esp at 0x77E655FA [rpcrt4.dll]
      • Found jmp esp at 0x77E7024B [rpcrt4.dll]
      • Found jmp esp at 0x77DBF069 [advapi32.dll]
      • Found jmp esp at 0x77DEB52B [advapi32.dll]
      • Found jmp esp at 0x77DEBE1B [advapi32.dll]
      • Found jmp esp at 0x77DF6323 [advapi32.dll]
      • Found jmp esp at 0x77DF7023 [advapi32.dll]
      • Found call esp at 0x77E1D75A [advapi32.dll]
      • Found call esp at 0x77E240DA [advapi32.dll]
      • Found call esp at 0x77E36EC4 [advapi32.dll]
      • Found call esp at 0x77E37EEC [advapi32.dll]
      • Found call esp at 0x719FF8FB [ws2_32.dll]
      • Found call esp at 0x7C8369D8 [kernel32.dll]
      • Found call esp at 0x7C872E1B [kernel32.dll]
      • Found call esp at 0x77DBF01C [advapi32.dll]
      • Found call esp at 0x77DBF0D2 [advapi32.dll]
  • But with 260 "a" in the padding, "\xfa\x55\xe6\x77" and the program in the shellcode, it doesn't arrive to overwrite ESI register. Why ?
    • C'est le registre EIP qu'il faut réécrire pas ESI.
    • 260 de padding c'est bon, tu devrais bien réécrire EIP par 0x77e655fa, éxécuter ce "jmp esp" pour aller au shellcode et là ... un ptit problème

mais c'est normal, c'est expliqué dans le TP.

This seems to cause trouble for a lot of people. EIP does not point on the first instruction of the shellcode. To "smooth" things a bit, we can fill the stack with NOP operations before the shellcode (i.e. add "\x90" instructions between jmp adress and shellcode).




  • What is the 3e8-EAX result ?! Is it the concatenation in hexa ? The subtraction?
    • On doit mettre 1000 dans la variable target. 1000 en hexa ca fait 3e8. Dans EAX, il y a déjà un certain nombre (le nombre de caractères déjà affichés), pour aller à 1000 il faut encore afficher 3e8-EAX, EAX étant la valeur du registre EAX.
    • Donc la soustraction



Unanswered questions