forked from cliffe/SecGen
-
Notifications
You must be signed in to change notification settings - Fork 0
/
6_linux_nx_bypass.xml
157 lines (141 loc) · 5.89 KB
/
6_linux_nx_bypass.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<name>Linux bypassing NX bit with return-to-libc</name>
<author>Thomas Shaw</author>
<description>
# Introduction
In this lab, you will develop your knowledge of memory protections and exploit techniques. The focus is on bypassing the Non-Executable (NX) stack protection, which aims to prevent attackers from running malicious code on the stack. You'll explore the theoretical concept of NX stack protection, understand how it is implemented in Linux, and learn about return-to-libc attacks, a clever exploit technique that allows you to redirect a program's execution to functions within the Standard C Library (libc) without executing any external code.
Throughout this lab, you will learn how to bypass NX stack protection and write return-to-libc exploits. You will find the offset for the Instruction Pointer (EIP), identify the memory addresses of essential functions like execve() and exit() within libc, and construct a fake stack frame to trigger a shell using these functions. As practical tasks, you will write a Metasploit exploit module, analyze memory addresses, and run your exploit to successfully gain control over a vulnerable program.
The CTF challenges are similar to those from the last topic, however the vulnerable software has been compiled with stack protections and non-executable stack, which you will learn to circumvent.
</description>
<lab_sheet_url>https://docs.google.com/document/d/1eUOb1cR-D8qv0NmlGXYUN1JYwmgrwOBNtfsDVdxnPpw/edit?usp=sharing</lab_sheet_url>
<type>ctf-lab</type>
<type>lab-sheet</type>
<difficulty>advanced</difficulty>
<CyBOK KA="SS" topic="Categories of Vulnerabilities">
<keyword>memory management vulnerabilities</keyword>
<keyword>Stack smashing buffer overflows</keyword>
</CyBOK>
<CyBOK KA="SS" topic="Mitigating Exploitation">
<keyword>NON-EXECUTABLE MEMORY</keyword>
</CyBOK>
<CyBOK KA="MAT" topic="Attacks and exploitation">
<keyword>EXPLOITATION</keyword>
<keyword>EXPLOITATION FRAMEWORKS</keyword>
<keyword>Exploit development</keyword>
<keyword>Metasploit Framework development</keyword>
<keyword>Mitigation bypass: non-executable memory</keyword>
</CyBOK>
<video>
<title>Secure Design Principles</title>
<by>Z. Cliffe Schreuders</by>
<url>https://youtu.be/ywLXfSR5YWk</url>
<type>lecture-prerecorded</type>
<CyBOK KA="OSV" topic="OS Security Principles">
<keyword>Saltzer and Schroeder’s principles</keyword>
<keyword>newer principles</keyword>
</CyBOK>
</video>
<system>
<system_name>metactf_desktop</system_name>
<base distro="Debian 12" type="desktop" name="KDE"/>
<input into_datastore="IP_addresses">
<!-- 0 metactf_desktop -->
<value>172.16.0.2</value>
<!-- 1 kali -->
<value>172.16.0.3</value>
</input>
<utility module_path=".*/parameterised_accounts">
<input into="accounts" into_datastore="account">
<generator type="account">
<input into="username">
<generator type="random_sanitised_word">
<input into="wordlist">
<value>mythical_creatures</value>
</input>
</generator>
</input>
<input into="password">
<value>tiaspbiqe2r</value>
</input>
<input into="super_user">
<value>false</value>
</input>
</generator>
</input>
</utility>
<utility module_path=".*/kde_minimal">
<input into="autologin_user">
<datastore access="0" access_json="['username']">account</datastore>
</input>
<input into="accounts">
<datastore>account</datastore>
</input>
<input into="autostart_konsole">
<value>true</value>
</input>
</utility>
<utility module_path=".*/handy_cli_tools"/>
<utility module_path=".*/hash_tools"/>
<utility module_path=".*/edb_debugger"/>
<utility module_path=".*/reversing_tools"/>
<utility module_path=".*/disable_aslr"/>
<utility module_path=".*/metactf">
<input into="account">
<datastore>account</datastore>
</input>
<input into="challenge_list">
<generator type="metactf_challenge">
<input into="challenge_path">
<value>src_sse/SSE/Ch_nx_BOF_1</value>
</input>
<input into="include_c">
<value>true</value>
</input>
</generator>
<generator type="metactf_challenge">
<input into="challenge_path">
<value>src_sse/SSE/Ch_nx_BOF_2</value>
</input>
</generator>
<generator type="metactf_challenge">
<input into="challenge_path">
<value>src_sse/SSE/Ch_nx_BOF_3</value>
</input>
</generator>
</input>
</utility>
<network type="private_network">
<input into="IP_address">
<datastore access="0">IP_addresses</datastore>
</input>
</network>
<input into_datastore="spoiler_admin_pass">
<generator type="strong_password_generator"/>
</input>
<build type="cleanup">
<input into="root_password">
<datastore>spoiler_admin_pass</datastore>
</input>
</build>
</system>
<system>
<system_name>kali</system_name>
<base distro="Kali" name="MSF"/>
<utility module_path=".*/handy_cli_tools"/>
<utility module_path=".*/nmap"/>
<utility module_path=".*/metasploit_framework"/>
<network type="private_network">
<input into="IP_address">
<datastore access="1">IP_addresses</datastore>
</input>
</network>
<build type="cleanup">
<input into="root_password">
<datastore>spoiler_admin_pass</datastore>
</input>
</build>
</system>
</scenario>