HOW TO DISABLE ASLR USING COMMAND LINE

     ASLR - Address space layout randomization

  

ASLR is used as  memory protection method to protect the program from being exploited using the buffer overflow attacks. It functions by randomizing the locations of executional objects in the memory. 

 You can get the value of the ASLR randomizer by using 

       ->     $ cat /proc/sys/kernel/randomize_va_space

The value will most probably be 2. Which means the Last two digits of a memory will be randomized. 

 eg :- suppose a certain object is in 0xdeadbeef . The next time the last two digits "ef"  will be different.

Hence to make the address randomization null you need to put zero in place of two.

       ->     $ echo 0 | sudo tee /proc /sys/kernel/randomize_va_space

Here sudo tee is used because sudo as certain restrictions while piping standard output to a certain file .

         HOW TO DISABLE CANARY AND RELRO WHILE COMPILING

There are certain flags which will help in disabling are

 -fno-stack-protector , -z,norelro

These can be used while compiling a program like 

  gcc -fno-stack-protector file.c -o a.out

ICECTF 2016 - DRUMPF BINARY

Binary overview:-

     The Binary has facility to book a suite, book  a room , delete booking and to print booking. The Aim is to change the flow of control to the flag function which obviously prints the flag. The program is protected by Canary, NX and RELRO is partially enabled. The program employs the use of Malloc() and free(). Finding the vulnerability would be a child's play for a experienced exploiter. The vulnerability is called Use after free vulnerability .

 Intro to Use After Free vulnerability:-
      To understand what the Use After Free vulnerability is one needs to understand what are the functions and how they are used wrongly which causes such a vulnerability to rise

• Malloc() :-  void *malloc(size_t size)                                                         The function allocates the memory given to it and returns a pointer to the location where it is stored or NULL if it fails.
• Free() :-  void free(void *ptr)                                                                     This function is used to deallocate the memory previously allocated by a calloc, malloc or realloc function. It doesn't return any value.              Certain things to Note here are :
•  The Free functions doesn't clear the data which is allocated. It just makes that area available for storing data and new data overwrites the previous ones.
• The pointer pointing to the location isn't deleted and will be reused for the next malloc() unless it is cleared by using *ptr=0. This is the vulnerability which is exploited in this method.

 Solution  :-
     The functions for booking a room and booking a suite seem a bit different.
on closer looking the function for booking a suite after decompilation using IDA pro.

    int book_suite()
{
  _DWORD *v0; // ebx@1
  char s; // [sp+1Ch] [bp-1Ch]@1
  int v3; // [sp+2Ch] [bp-Ch]@1

  v3 = *MK_FP(__GS__, 20);
  suite = malloc(264u);
  printf("Name: ");
  fflush(stdout);
  fgets(suite + 4, 256, stdin);
  *suite = print_name;
  printf("Suite number: ");
  fflush(stdout);
  fgets(&s, 16, stdin);
  v0 = suite;
  v0[65] = atoi(&s);
  puts("Booked a suite!");
  fflush(stdout);
  return *MK_FP(__GS__, 20) ^ v3;
}     

 The size of the suite is declared to be 264 bytes , and the name of the person is stored from the fourth to the 260th byte. *suite which gives the first four bytes of suite since it is a 32bit program is used to store the address of the function print_name. The Suite number is converted into an integer and stored in the last four bytes of the suite object. On successfully creating the object the function prints "Booked a suite!".

On examining the book_room function.
               int book_room()

{
  int *v0; // ebx@1
  char s; // [sp+1Ch] [bp-1Ch]@1
  int v3; // [sp+2Ch] [bp-Ch]@1

  v3 = *MK_FP(__GS__, 20);
  room = malloc(260u);
  printf("Name: ");
  fflush(stdout);
  fgets(room + 4, 256, stdin);
  printf("Room number: ");
  fflush(stdout);
  fgets(&s, 16, stdin);
  v0 = room;
  *v0 = atoi(&s);
  puts("Booked a room!");
  fflush(stdout);
  return *MK_FP(__GS__, 20) ^ v3;
}

The room object is created using 260 bytes and the first four bytes is used to store the room number and the rest is used to store the name.

In the delete booking function we find the vulnerablity we need to exploit.

int delete_booking()
{
  int v1; // [sp+1Ch] [bp-Ch]@1

  v1 = *MK_FP(__GS__, 20);
  if ( suite || room )
  {
    if ( suite )
    {
      free(suite);
      puts("Suite booking deleted!");
      fflush(stdout);
    }
    if ( room )
    {
      free(room);
      puts("Room booking deleted!");
      fflush(stdout);
    }
  }
  else
  {
    printf("No booking found!");
    fflush(stdout);  }
  return *MK_FP(__GS__, 20) ^ v1;
}   

After the free() the pointer isn't deleted which means we found our vulnerability .
So we know the location where the suite and room objects are kept. This is used to get the flag

On analysing the print booking function one can see that the first four bytes of the suite object which is suppossed to contain the address of the print name is being excecuted. This is the place where we need to have the adress of the flag function so that it gets excecuted.

int print_booking()

{

int v1; // [sp+1Ch] [bp-Ch]@1

v1 = *MK_FP(__GS__, 20);

if ( suite || room )

{

if ( suite )

{

(*suite)(suite + 4);

printf("Rooms number: %u\n", *(suite + 65));

fflush(stdout);

}

if ( room )

{

printf("Name: %s", room + 4);

printf("Rooms number: %u\n", *room);

fflush(stdout);

}

}

else

{

printf("No booking found!");

fflush(stdout);

}

return *MK_FP(__GS__, 20) ^ v1;

}

The only object which takes a input as the first five bytes is the room object there fore we need to excecute the suite statement while having a room object.

Steps to do to obtain the solution:

                                           book a suite providing theneccessary details and then delete it so that we will obtain the pointer to the location of the objects . Now proceed to book a room such that the room no which is the first four bytes will contain the address of the flag function. Now when you excecute the print booking function you excecute the flag function because now the print functon thinks that the object is a suite since the pointer points to the same location and the first four bytes get executed .

RSA ENCRYPTION

RSA algorithm is used to encrypt data over the Internet by providing public keys for the data to different users.The RSA cryptosystem is the most widely-used public key cryptography algorithm in the world. It can be used to encrypt a message without the need to exchange a secret key separately.

             The algorithm is fully based on mathematics and is fairly simple to understand.

THE ALGORITHM:

•  Two prime numbers p and q are generated.
•  The Modulus N is found such that N=pq (N should be of required key length k)
• phi= (p-1)*(q-1)
• An Integer between 1 and phi is chosen to be the encryption key "e". This should be such that the HCF (e,phi) =1.
• The Secret exponent "d" -> the decryption key is generated such that it follows 1 < d < phi  and that e*d (mod phi) =1   .
• The message to be encrypted is converted to decimal and i represented by "M".
• After encryption the cypher text is called "C". 
• The public key given is (N,e)
• Encryption is done according to the formula

                                 C=(M^e) mod (N)    --------------------------------------(1)

• Decryption is done according to 

                                M=(C^d) mod (N)    ---------------------------------------(2)

•  The encryption is said to be secure if the value of e is greater than 0x10001 or 65537.
• k is usually 1024 , 2048

HOW TO DECRYPT:

1. If only cypher-text C, modulus N and encryption key e is given. And e = 1

          If e=1 then the cypher-text C is the same numerical equivalent of the message cipher. One just needs to convert the Cypher-text back to text. This situation indicates failure of the Cypher and is a strict no-no case.

   2. If only cypher-text C, modulus N and decryption key d is given.
            This situation should only be dealt by the person for whom the message was intended any one else coming across this situation shows a complete failure of the usage of the encryption.

   3. If cypher-text C, modulus N, phi , decryption key d and encryption key e is given. And the numbers are big.
             The problem be solved using a simple python program which uses the equation (2) to solve the question. The code for the problem is given below with large numbers


N =43210326036290106251088810298667915702007744567467854988107937233622821671752930583378558808381197036542903396534337305723496107154050324953536530993744267386008120658910242143992656773360792182698142273761182047011119261779988377408208858109503177413194541524543447827777831409903664749520527375514748678462101261445039900408999429969510786960471887158957679337190091527913340383310225813322177657695256994315048270952315001100548949554323965404643005206732777361386623591544461533797263652780595639288158892122219626720481472616420118039436680647298714768071797941290307081010086729667552569828323354008441335674251

e =65537

c =37209877026138824302301697292319328185824059912506644719041273895972747926698556612194455367172368277268883774102719113194850674012999971337550561061697826458468363574428378679179721672530515881761949297613967812683948622068020382771205609975220407119022966600675469044732891210789248284410739482876937857726026431593283960162298707892143970513804892248370427455318472402011536095802255121284911517882268092785246985981687913310965628793178703498961617628661113277249071490584774764571170891391355080033791745662119139170834529306548644716069025161989103880671580075279656495472299747401794635781847901588156099495017

phiN = 43210326036290106251088810298667915702007744567467854988107937233622821671752930583378558808381197036542903396534337305723496107154050324953536530993744267386008120658910242143992656773360792182698142273761182047011119261779988377408208858109503177413194541524543447827777831409903664749520527375514748678461684001179681025836243272641520046001108394411608315423967170123709569701951917513847951924936347574671212789694222728087028519090194131250999358518159691864169187723815719657688598576820104123456547706995794001020837756695923476582226622677087727699446323459489485731800382017980557710365098279949382831681952

d=36745622940545343875759976434157197886755506358760982257308567037006074391719705315666781200065625116203199598633622026070492775743618607966652393996419663853350085914252797887742782661594880295499227386075929594641556658033207382848075073319786244161193801795105901007640174254798831863226544268004149920625395925259715625248417078457317167458592444532825039828013768181860349705192246622240475711133444054985367520564542488697167606480838294747710396401026533820191299116891186474240520253953309474166963956334430798860084072450328931700881244717326902973061667440442315315084591766881188371668945135391290476758145

m = hex(pow(c, d, N)).rstrip("L") #the third argument is mod with the first raised to the second
print m
 

   The program will give you a insight into how large numbers are used and how python solves them easily.


this are the few types of RSA that can be cracked the rest cannot be cracked easily by anyone . Bruteforcing can take a long time.