Loads of guides say that installing Virtualbox Guest Additions in your brand new Kali VM is really easy and straightforward, but they always seem to miss a step at the end which means your shared clipboard and drag and drop functionality doesn’t work properly.
TL;DR – You need to call the VBoxClient utility inside the guest with the –clipboard argument, and again with the –draganddrop option as well. Consider adding a third call with –display if you’re struggling to get the autoscaling to work properly.
I believe that responsible disclosure is in the best interests of everybody, in the event that I identify a bug in a software product or web service the guidelines I follow are as follows.
Format String attacks are an interesting bug class, they provide you with memory disclosure opportunities as well as write-what-where opportunities. They can be used to force stack overflows which are otherwise safe, they can defeat stack canaries and ASLR. However, outside of Linux (and on some Linux systems) they lose a great deal of their power. Continue reading
When writing an exploit you might find a vulnerability that gives you control over registers other than EIP, for example you may be able to change the value of the stack pointer ESP. Alternatively you might find a stack based overflow which for one reason or another you can’t use to place a complete ROP chain, for example you may only get to execute a single gadget.
I was lucky enough to take part in the Cyberthreat 2018 CTF competition – which was utterly fantastic, with a completely over the top “pro gaming” style setup, flashing lights, sound effects, projected images and smoke machines. Obviously we didn’t win, but it was pretty epic nonetheless.
One of the challenges I solved was a binary exploitation challenge – which was remarkably similar to the registration challenge – although it had some rather trolltastic differences;
SSH is quite possibly the most powerful program you will use, and it’s deployed widely on nearly every linux system just waiting for you to connect in. Basic usage is remarkably straightforward, but the real fun is with the more advanced switches and features. SSH can do things that you really don’t expect.
In this exercise we need to manipulate a structure, making a value within it non-zero. We have very few tools to use to do so. This isnt a question of overflows as the input is length checked, its a memory management problem. What we need to do is somehow engineer a solution where a section of memory is still used, despite it having been marked as free. A use-after-free.
Building on the fundamentals we learned whilst building our last ROP exploit, we’re going to learn another approach to writing ROP chains, instead of using sys_execve to spawn a shell we’re going to use sys_mprotect to turn off the rather irritating NX protection, and execute our shellcode like the good old days.
In order to execute /bin/sh with the sys_execve syscall, we need to solve a few hurdles, according to the reference we need to set up the registers as follows;
EAX = 11 (or 0x0B in hex) – The execve syscall number
EBX = Address in memory of the string “/bin/sh”
ECX = Address of a pointer to the string “/bin/sh”
EDX = Null (Optionally a pointer to a structure describing the environment)
Once all these things are set up, executing the int 0x80 instruction should spawn a shell.
The cyberthreat2018 early registration CTF contained some nice challenges, the one that took my fancy was the last one, a binary exploitation challenge with a few rather irritating twists which force us to do a few things the hard way. This post examines the difficulties presented and lays the groundwork for our ROP exploit.