Skip to content

Commit

Permalink
Update configuration to new structure
Browse files Browse the repository at this point in the history
Update formatting, links and configuration file (`config.yaml`) to new
structure.

Signed-off-by: Razvan Deaconescu <[email protected]>
  • Loading branch information
razvand committed Dec 28, 2023
1 parent aa5125d commit 30010e9
Show file tree
Hide file tree
Showing 19 changed files with 2,293 additions and 1,953 deletions.
506 changes: 244 additions & 262 deletions chapters/binary-analysis/dynamic-analysis/reading/README.md

Large diffs are not rendered by default.

242 changes: 120 additions & 122 deletions chapters/binary-analysis/executables-and-processes/reading/README.md

Large diffs are not rendered by default.

386 changes: 239 additions & 147 deletions chapters/binary-analysis/exploration-tools/reading/README.md

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
@@ -1 +1 @@
# Disassemble methods
# Disassemble Methods
Original file line number Diff line number Diff line change
@@ -1 +1 @@
# Disassemble methods
# Disassemble Methods
Original file line number Diff line number Diff line change
@@ -1 +1 @@
# Disassemble methods
# Disassemble Methods
378 changes: 377 additions & 1 deletion chapters/binary-analysis/static-analysis/reading/README.md

Large diffs are not rendered by default.

301 changes: 0 additions & 301 deletions chapters/binary-analysis/static-analysis/reading/README_2.md

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,9 +1,3 @@
---
linkTitle: Buffer Exploitation
type: docs
weight: 10
---

# Buffer Exploitation

Table of Contents
Expand All @@ -28,7 +22,7 @@ Table of Contents

## Pwntools

In this lab we will be using the `pwntools` python module to solve the tasks. Check outh the [Pwntools Tutorial section](../../extra/pwntools-intro/README.md).
In this lab we will be using the `pwntools` python module to solve the tasks. Check outh the [Pwntools Tutorial section](../../../extra/pwntools-intro/reading).

## Buffers

Expand Down Expand Up @@ -169,10 +163,10 @@ Non-static local variables and dynamically allocated buffers cannot be seen in t
> <i> Note that this is the stack for a 64bit system and the first couple of function arguments are stored in registers (rdi, rsi, rdx, rcx, r8, and r9) and that's why the images has `arg_6` as the first argument. </i>
We should know by now that the stack serves multiple purposes:
* Passing function arguments from the caller to the callee
* Storing local variables for functions
* Temporarily saving register values before a call
* Saving the return address and old frame pointer
- Passing function arguments from the caller to the callee
- Storing local variables for functions
- Temporarily saving register values before a call
- Saving the return address and old frame pointer

Even though, in an abstract sense, different buffers are separate from one another, ultimately they are just some regions of memory which do not have any intrinsic identification or associated size. To avoid this, most hight level languages use size metadata and bound checks to detect out of bounds accesses to the memory.

Expand Down Expand Up @@ -249,7 +243,8 @@ For a simple buffer overflow the worflow is:
4. search the offset of the faulty address in the generated pattern to get an offset

In pwndbg this works as such:
```

```console
pwndbg> cyclic -n 8 256
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaab
pwndbg> run
Expand All @@ -272,36 +267,39 @@ Program received signal SIGSEGV, Segmentation fault
pwndbg> cyclic -n 8 -c 64 -l 0x6161616161616172
136
```
_Note: we get the same 136 offset computed manually with the static analysis method._

Note: We get the same 136 offset computed manually with the static analysis method

## Input-Output functions

Most programs aren't a straight forward single input buffer overflow so we need to deal with things like:
* automizing program input-output - by programmatically sending and receiving data
* parsing program output - to use potential leaked information
* understand the mechanics of the IO methods used - what kind of data they accept and possible constraints

- automizing program input-output - by programmatically sending and receiving data
- parsing program output - to use potential leaked information
- understand the mechanics of the IO methods used - what kind of data they accept and possible constraints

_Pwntools_ offers a large area of [IO functions](https://docs.pwntools.com/en/stable/tubes.html) to communicate with a program (either local or remote).
The basic and usual ones are:
* `send(data)` - sends the `data` byte string to the process
* `sendline(data)` - shorthand for `send(data + b"\n")`
* `recv(num)` - recieves `num` bytes from the process
* `recvline()` - recieves a whole line from the process (until '\n')
* `recvuntil(str)` - receives data until `str` is found (will not contain `str`)
* `recvall()` - receives the full program ouptut (until EOF)

- `send(data)` - sends the `data` byte string to the process
- `sendline(data)` - shorthand for `send(data + b"\n")`
- `recv(num)` - recieves `num` bytes from the process
- `recvline()` - recieves a whole line from the process (until '\n')
- `recvuntil(str)` - receives data until `str` is found (will not contain `str`)
- `recvall()` - receives the full program ouptut (until EOF)

> Check the documentation for more complex IO functions that might come in handy (like `recvregex`, `sendafter`).
It is also important to understand the functionality of the different IO functions the program itself uses. For C programs, in our case, you can always
find useful information in the man pages of specific functions, TL;DR:
* `size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream)` - reads *nmemb* items of data, each *size* bytes long,
* simple and straightforward
* `char *gets(char *s)` - reads until either a terminating newline or EOF, which it replaces with a null byte ('\0')
* the problem here is that you won't be able to have a newline in the middle of your payload; note that it doesn't have a size argument to it will read indefinetely as long as it doesn't reach a newline or EOF
* `char *fgets(char *s, int size, FILE *stream)` - reads in **at most** one less than *size* characters from stream and stores them into the buffer pointed to by s. Reading stops after an **EOF** or a **newline**. If a **newline** is read, it is stored into the buffer. A terminating null byte ('\0') is stored after the last character in the buffer.
* this one adds the size limit argument, but also note that it **stores** the newline in the string and **adds** the null byte after (in contrast to `gets`)
* `int scanf(const char *format, ...)` - as opposed the other funcions `scanf` reads **text** based on the format string and parses it
* don't do the common mistake of **sending binary data to scanf**, for example `"%d"` expects a string representation of a numer like `"16"`, not the binary data like `"\x00\x00\x00\x10"`
- `size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream)` - reads *nmemb* items of data, each *size* bytes long,
simple and straightforward
- `char *gets(char *s)` - reads until either a terminating newline or EOF, which it replaces with a null byte ('\0')
the problem here is that you won't be able to have a newline in the middle of your payload; note that it doesn't have a size argument to it will read indefinetely as long as it doesn't reach a newline or EOF
- `char *fgets(char *s, int size, FILE *stream)` - reads in **at most** one less than *size* characters from stream and stores them into the buffer pointed to by s. Reading stops after an **EOF** or a **newline**. If a **newline** is read, it is stored into the buffer. A terminating null byte ('\0') is stored after the last character in the buffer.
this one adds the size limit argument, but also note that it **stores** the newline in the string and **adds** the null byte after (in contrast to `gets`)
- `int scanf(const char *format, ...)` - as opposed the other funcions `scanf` reads **text** based on the format string and parses it
don't do the common mistake of **sending binary data to scanf**, for example `"%d"` expects a string representation of a numer like `"16"`, not the binary data like `"\x00\x00\x00\x10"`

> Every time you encounter a new input function check the documentation to find it's limitations
Expand Down Expand Up @@ -362,9 +360,7 @@ Time for a more complex challenge. Be patient and don't speed through it.

# Further Reading

[De Bruijin sequences](https://en.wikipedia.org/wiki/De_Bruijn_sequence)

[PwnTools ELF Module](https://docs.pwntools.com/en/latest/elf/elf.html) (which internally uses [PyElftoools](https://github.com/eliben/pyelftools) and may expose such objects)

[PwnTools IO](https://docs.pwntools.com/en/stable/tubes.html)
- [De Bruijin sequences](https://en.wikipedia.org/wiki/De_Bruijn_sequence)
- [PwnTools ELF Module](https://docs.pwntools.com/en/latest/elf/elf.html) (which internally uses [PyElftoools](https://github.com/eliben/pyelftools) and may expose such objects)
- [PwnTools IO](https://docs.pwntools.com/en/stable/tubes.html)

Loading

0 comments on commit 30010e9

Please sign in to comment.