WEBVTT 00:00.330 --> 00:01.770 Welcome back to another video. 00:01.800 --> 00:06.000 In this video, we are going to discuss a technique called Return to Play. 00:06.810 --> 00:13.740 Using this technique, we can use the procedure in case table to bypass an X and a slot. 00:14.770 --> 00:19.690 We will use the addresses of gadgets and functions from within the library. 00:19.930 --> 00:24.520 So this particular technique has some prerequisites for the attack to work. 00:24.940 --> 00:30.940 The binary should contain gadgets and functions that can be useful for our exploitation. 00:31.820 --> 00:35.640 And the binary should be compiled using no p flag. 00:35.660 --> 00:42.530 As I mentioned in the last lecture, now let's use the same binary that we have used to understand plt 00:42.530 --> 00:46.520 and geode concepts since it meets all the requirements. 00:46.970 --> 00:51.170 So let's switch to the virtual machine and let's begin writing this exploit. 00:52.280 --> 00:54.560 Let's quit from this GDB session 00:57.500 --> 01:00.050 and let's quickly take a look at the Makefile. 01:00.170 --> 01:04.070 If you notice, we have no p flag set here. 01:04.100 --> 01:05.660 So our binary is good. 01:05.990 --> 01:14.030 And if you notice the vulnerable program, we have a system function being used within the program so 01:14.030 --> 01:18.090 we can try to make use of the system function and we want a shell. 01:18.110 --> 01:22.560 But this particular system function is just executing that command. 01:22.580 --> 01:26.090 We don't want to execute that command as part of our exploit. 01:26.090 --> 01:33.170 So we will have to find out the string SW edge and we will have to pass that as an argument to this 01:33.170 --> 01:33.800 function. 01:34.040 --> 01:35.600 So that's what we are going to do. 01:35.600 --> 01:40.820 Now if you observe this binary also has the string S-H within the binary. 01:41.270 --> 01:48.590 So we can try to find out the address of the string S-H and we can pass that as an argument to this 01:48.590 --> 01:49.700 system function. 01:49.820 --> 01:52.040 So let's see how we can do that. 01:52.280 --> 01:58.700 As I mentioned earlier, this technique is going to bypass both an X as well as a slot. 01:58.730 --> 02:05.690 So before we proceed further, let's quickly ensure that we have an X and a slot enabled. 02:05.870 --> 02:10.640 If you notice, there is no dash z exec stack flag here. 02:10.880 --> 02:14.600 That means by default the stack will not be executable. 02:15.050 --> 02:25.160 And let's also go to the ASLA directory and let's quickly check if a slot is enabled. 02:27.050 --> 02:27.730 Look at that. 02:27.740 --> 02:29.240 A slot is enabled. 02:29.720 --> 02:33.290 Let's once again go back to this red to play directory 02:37.310 --> 02:39.680 and let's load the binary using gdb. 02:42.560 --> 02:44.390 Now let's quickly run check seq. 02:45.560 --> 02:50.270 And if you notice even check seq shows that an x is enabled. 02:50.510 --> 02:55.340 Now let's quickly check what functions are available within the binary. 02:55.700 --> 03:00.380 I'm just going to type in four functions before starting the binary. 03:02.030 --> 03:02.740 Here it is. 03:02.750 --> 03:05.910 If you notice, we have a system at PLT. 03:06.320 --> 03:12.740 If you notice, as we have seen earlier, the binary has a call to system at PLT. 03:13.040 --> 03:20.840 We can make use of this address and invoke it using appropriate arguments in order to execute system 03:20.840 --> 03:23.540 commands like I mentioned earlier. 03:23.570 --> 03:32.180 This defeats both SLA as well as an ex because we are not relying on the addresses from Lipsey and thus 03:32.180 --> 03:33.200 we are not bothered. 03:33.200 --> 03:40.510 Even if SLA is enabled, we are not executing any shell code on the stack and thus we are not worried 03:40.520 --> 03:43.220 even if an X is enabled for this binary. 03:43.910 --> 03:48.530 Now there is another way to obtain the address of this system at PLT. 03:48.560 --> 03:59.900 We can just open up a new tab and type obj dump dash the vulnerable type grep 04:02.210 --> 04:03.140 system 04:06.950 --> 04:10.940 and we are just dumping three instructions after this address. 04:11.630 --> 04:16.640 If you notice, 401070 is what we have gotten here. 04:16.670 --> 04:19.550 This is the system function from GPC. 04:19.580 --> 04:22.290 So this is the address of system function. 04:22.310 --> 04:24.920 If you notice, we have the same address here. 04:24.920 --> 04:27.260 401070. 04:27.560 --> 04:33.410 And if you go back 401070 is what we have gotten even earlier. 04:33.530 --> 04:38.150 So once again, we have gotten the same address using object dump. 04:38.330 --> 04:46.340 Now the next goal is to find out an appropriate argument to system function so that we can get a shell. 04:46.820 --> 04:50.760 Let's check if the binary has any references to the string. 04:52.040 --> 04:58.760 So I'm just going to run the binary by setting up a breakpoint at main. 05:01.750 --> 05:10.570 Now let's use Jeff's search pattern command and let's search for the pattern. 05:13.150 --> 05:17.440 If you notice, there is a large output, so let's scroll up. 05:17.830 --> 05:25.180 We want to look for the references within the binary so that we don't need to deal with an X and Aslan. 05:28.040 --> 05:28.800 Here it is. 05:28.820 --> 05:31.520 If you notice, there is one reference here. 05:31.520 --> 05:40.400 This is the first reference that we have gotten and S.H. is actually available at 402029 address. 05:40.640 --> 05:44.000 So we have gotten a reference to the string S-H. 05:44.210 --> 05:53.150 Now we need to find a gadget that can place this address in Register D so we can call system function, 05:53.150 --> 05:58.220 which will take S-H available in D as its argument. 05:58.220 --> 06:02.960 So let's load the binary into rapper to be able to search for the gadgets. 06:03.200 --> 06:09.320 I'm just going to the next tab and let's use wrapper. 06:11.540 --> 06:13.880 Let's type file vulnerable. 06:16.790 --> 06:21.260 Now let's search for the instructions for our D.I. 06:22.760 --> 06:23.420 There you go. 06:23.450 --> 06:29.000 Looks like we are lucky because we have gotten a useful gadget within the binary itself. 06:29.210 --> 06:31.900 So basically we need three addresses. 06:31.910 --> 06:39.260 The address of this gadget, the address of S-H string and the address of system function. 06:39.650 --> 06:40.010 Right. 06:40.010 --> 06:47.930 So let's begin writing our exploit and just opening up a new tab and let's type exploit dot p l, I 06:47.930 --> 06:59.420 mean space exploit dot peel and let's once again write our regular lines of our exploit the shebang 07:01.580 --> 07:02.330 this line. 07:03.320 --> 07:16.610 And like we usually do, let's specify 256 characters, which is going to be the offset to our BP register. 07:17.960 --> 07:22.910 We are using the same vulnerable function with 256 bytes of input. 07:23.390 --> 07:31.790 So we are just going to use the same exploit template here and let's append a base and this is going 07:31.790 --> 07:33.050 to be our BP. 07:34.190 --> 07:39.620 And right after this, we should be able to override the saved return address, which is going to be 07:39.620 --> 07:40.940 stored in our IP. 07:41.180 --> 07:46.730 Now, this is where we want to specify the address of pop gadget. 07:46.880 --> 07:51.650 So let's use junk and let's append pack 07:56.270 --> 08:02.690 and let's specify the address of the gadget with the instruction pop, which is this. 08:03.800 --> 08:05.420 So I'm just copying this. 08:08.760 --> 08:14.970 And let's face it here, remember, we are just using the addresses within the binary itself so we do 08:14.970 --> 08:17.340 not need to add it to the base address. 08:18.000 --> 08:23.250 Let's also add a comment here with the instructions that we have gotten from the gadget. 08:24.660 --> 08:25.320 Here it is. 08:25.320 --> 08:26.760 We can just copy this. 08:29.580 --> 08:30.960 Let's just paste it here. 08:31.590 --> 08:35.040 So if you notice, this is pop the instruction. 08:35.040 --> 08:42.060 So when pop the instruction gets executed, something which is on the top of the stack is going to be 08:42.060 --> 08:44.190 popped into the register. 08:44.430 --> 08:50.700 In this case, we want that something that is available on the top of the stack to be the reference 08:50.700 --> 08:52.070 to asset string. 08:52.080 --> 09:06.530 So let's use junk append pack with the option Q and let's specify the address of the string S-H. 09:06.570 --> 09:08.970 So let's go back to the Jeff Shell. 09:10.340 --> 09:12.080 And let's copy this. 09:14.230 --> 09:16.180 402029. 09:20.040 --> 09:27.450 And let's just play straight here once again, let's add this in the comments here, 09:30.240 --> 09:32.400 S-H from Binary. 09:35.030 --> 09:35.250 Okay. 09:35.390 --> 09:39.790 Now we are done with setting up the argument for system function. 09:39.800 --> 09:43.010 Now all we have to do is invoke system function. 09:43.220 --> 09:47.240 So let's quickly grab the address of system function. 09:47.720 --> 09:55.400 I'm just going to execute this once again here so we can just grab the address of system function. 10:03.420 --> 10:03.990 PAC 10:07.350 --> 10:07.950 q. 10:10.540 --> 10:12.280 And we're just pasting it here. 10:12.850 --> 10:18.190 Let's add Xerox in the beginning and let's use a semicolon. 10:19.330 --> 10:25.240 And let's comment it out as system add pulled from binary. 10:26.080 --> 10:29.860 And let's also add this as from binary. 10:30.820 --> 10:31.430 There it is. 10:31.450 --> 10:38.860 Now, once this is done, we can just print junk and let's see if this exploit works. 10:39.670 --> 10:41.290 I'm just saving the file. 10:43.150 --> 10:52.930 Let's give it executable permissions and let's quickly test it by using dot slash exploit pl cat and 10:52.930 --> 10:54.910 let's pipe it to vulnerable. 10:57.010 --> 10:57.850 Let's hit enter. 10:57.880 --> 10:59.320 Let's type some command. 11:00.130 --> 11:00.700 Oops. 11:00.700 --> 11:04.510 There is a segmentation fault and the exploit failed. 11:05.140 --> 11:09.370 We will have to delegate using gdb and understand what happened. 11:09.760 --> 11:17.770 So let's first generate the payload using exploit pm and let's save the payload in the file payload. 11:18.340 --> 11:23.860 Now let's use gdb dot slash vulnerable space dash queue. 11:25.120 --> 11:31.750 Let's use this as one underscore function to get the address of this RET instruction as usual. 11:31.780 --> 11:38.590 And let's set up a breakpoint here and let's run the binary using the payload that we have just generated. 11:40.690 --> 11:41.170 There it is. 11:41.170 --> 11:47.580 We have hit the breakpoint and we are now about to execute pop die, which is expected. 11:47.590 --> 11:49.180 So let's type C. 11:50.500 --> 11:57.040 Yes, we are about to place the address of the string S-H, which is looking fine. 11:57.040 --> 12:05.470 So let's type C and we are now about to execute this red instruction which is going to take us to this 12:05.470 --> 12:06.960 system at PLT. 12:07.090 --> 12:14.950 Once again, this is expected, so let's type C now we are within this system at PLT, so let's type 12:14.950 --> 12:15.730 continue. 12:18.300 --> 12:19.100 There it is. 12:19.110 --> 12:23.580 We encountered a segmentation fault at this instruction. 12:24.210 --> 12:27.420 If you remember, we discussed this problem earlier. 12:27.450 --> 12:35.430 This is a stack alignment issue, so we need to ensure that the stack is 16 byte aligned to fix this 12:35.460 --> 12:36.660 like we did earlier. 12:36.660 --> 12:41.730 We can add an address of read instruction in the beginning of our gadget chain. 12:41.910 --> 12:52.500 So once again, let's go back and use our ROPPER tool to find out a gadget with the instruction read. 12:52.830 --> 12:58.020 So I'm just going to use search slash one red. 12:58.710 --> 12:59.220 Here it is. 12:59.220 --> 13:00.420 We found one gadget. 13:00.420 --> 13:01.680 Let's copy this. 13:02.780 --> 13:04.730 And let's go back to our exploit. 13:05.930 --> 13:07.310 Let's quit this shell. 13:07.640 --> 13:18.890 Let's use vim, exploit, dot, peel, and let's place it right before this gadget pack. 13:22.970 --> 13:24.260 And let's face it here. 13:27.500 --> 13:28.190 Right. 13:29.180 --> 13:29.600 All right. 13:29.600 --> 13:31.790 Once again, this is from binary itself. 13:32.330 --> 13:37.340 Let's save the file and let's try to execute the exploit once again. 13:41.540 --> 13:43.850 Let's hit enter and let's type some command. 13:44.180 --> 13:45.320 And there it is. 13:45.320 --> 13:53.660 The exploit worked and we have successfully circumvented an X and a slot protections just by using the 13:53.660 --> 13:55.430 addresses within the binary. 13:55.940 --> 14:04.400 Remember we disabled P which stands for position independent executable and thus we are able to use 14:04.400 --> 14:06.740 the addresses that we have used in our exploit. 14:06.860 --> 14:10.250 So this is how a red two field technique works. 14:10.460 --> 14:17.840 We need to have certain gadgets and functions available within the binary and P should be disabled within 14:17.840 --> 14:18.450 the binary. 14:18.470 --> 14:25.370 If these conditions meet, we can easily exploit a binary, even when an x and slot are enabled.