OverRide - Binary Exploitation and Reverse-Engineering (from assembly into C)

Overview

OverRide

Explore disassembly, binary exploitation & reverse-engineering through 10 little challenges.

In the folder for each level you will find:

  • flag - password for next level

  • README.md - how to find password

  • source.c - the reverse engineered binary

  • dissasembly_notes.md - notes on asm

See the subject for more details.

For more gdb & exploitation fun check out the previous project RainFall.

Final Score 125/100

Getting Started

First download from 42 OverRide.iso.

Virtual Machine setup

On Mac OSX, install VirtualBox.

In VirtualBox create a new VM (click new).

  • Name and operating system - Type: Linux, Version: (Oracle 64-bit)

Continue through all the next steps with the default settings:

  • Memory size: 4MB
  • Hard disk: Create a disk now
  • Hard disk file type: VDI(VirtualBox Disk Image)
  • Storage on physical hard disk: Dynamically allocated
  • File size: 12,00GB

Next click Settings > Network > Adapter 1 > Attached to: Bridged Adapter.

Still in settings click Storage > Right of "Controller: IDE", there is a CD icon with a + sign (add optical drive). Click Add Disk Image, and select OverRide.iso.

Click Start to start the VM, once runnning it should show the VM IP address and prompt user to login.

SSH connect

Log in from a separate shell as user level00 with password level00.

ssh [email protected]{VM_IP} -p 4242

Level Up

As user level00 the goal is to read the password for user level01, found at /home/users/level01/.pass. However, user level00 does not have permissions to read this file.

In the home folder for user level00 is a binary level00 with SUID set and owner level01.

This means when we execute the binary level00, we do so with the permissions of user level01.

We must find a vulnerability in the binary level00 with gdb. Then exploit the vulnerability to run system("/bin/sh"), opening a shell as user level01 where we have permissions to read the password.

cat /home/users/level01/.pass

Then log in as user level01.

su level01

Repeat for each level.

Reverse-engineered binary

For each level, we reverse engineered the original source.c by examining the gdb disassembly of the binary.

Levels Overview

  • 0 - Hardcoded password

  • 1 - Ret2Libc attack

  • 2 - printf() format string attack

  • 3 - Brute force password

  • 4 - gets() stack overflow + Return-to-libc attack

  • 5 - Shellcode in env variable + printf() format string attack

  • 6 - Hash value discoverable with gdb

  • 7 - Ret2Libc Attack on unprotected data table

  • 8 - Binary backs up password via symlink

  • 9 - Off-by-one error

Team

I wrote this project in a team with the super talented @dfinnis.

Owner
Anya Schukin
MSc Computer Science @ 42, Paris. BA Politics @ UCSD / University of Edinburgh
Anya Schukin
Visual Studio extension for assembly syntax highlighting and code completion in assembly files and the disassembly window

Asm-Dude Assembly syntax highlighting and code assistance for assembly source files and the disassembly window for Visual Studio 2015, 2017 and 2019.

Henk-Jan Lebbink 3.9k Jun 25, 2022
Create a Jupyter Kernel for 8085 Microprocessor assembly language that can interpret assembly-level programs right from the Jupyter notebook.

Create a Jupyter Kernel for 8085 Microprocessor assembly language that can interpret assembly-level programs right from the Jupyter notebook.

Sarita Singh 5 May 11, 2022
🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.

Plants vs. Zombies Online Battle This project has two original repositories: https://github.com/czs108/Plants-vs.-Zombies-Online-Battle https://github

Liugw 71 Oct 14, 2021
The purpose of these streams is to be educational and entertaining for viewers to learn about systems architecture, reverse engineering, software security, etc., and NOT to encourage nor endorse malicious game hacking.

Memestream This repository holds the code that I develop during my live game "modding" ?? sessions. When I stream, I like to speedrun making a success

Stephen Tong 27 Jun 17, 2022
Cutter is a free and open-source reverse engineering platform powered by rizin

Cutter is a free and open-source reverse engineering platform powered by rizin. It aims at being an advanced and customizable reverse engineering platform while keeping the user experience in mind. Cutter is created by reverse engineers for reverse engineers.

Rizin Organization 11.6k Jun 29, 2022
Block Cipher Reverse Engineering: A Challenge by Nintendo European Research & Development

My algorithm cracks NERD HireMe for any output within 1 Second without Brute-Force! Read more if you want to find out how this was accomplished or execute this algorithm yourself on Wandbox - Online C++ Compiler

Alexander Töpfer 58 Nov 15, 2021
Powerful automated tool for reverse engineering Unity IL2CPP binaries

Powerful automated tool for reverse engineering Unity IL2CPP binaries

Katy 1.9k Jun 24, 2022
Resources gathered for reverse engineering the FNIRSI-1013D scope

# FNIRSI-1013D-Hack Resources gathered for reverse engineering the FNIRSI-1013D scope As part of what is on EEVBLOG, resources for the reverse engine

null 48 Jun 15, 2022
A lightweight ARM reverse engineering tool.

eydis A lightweight (basic and slow) ARM reverse engineering tool. I. Requierements macOS/Linux, Basics compiling tools, The SQLite3 + readline framew

Yui Aioi 19 Feb 16, 2022
Info & tools for reverse engineering the M6 smart fitness band

m6-reveng This repo contains information and tools for reverse engineering the $7 M6 smart fitness band. Hardware The SoC (system-on-a-chip) is a Teli

null 35 Apr 20, 2022
Reverse engineering the V831 npu

v831-npu Reverse engineering the V831 Neural Network Accelerator (NNA) Hardware is primarily based off NVIDIA Deep Learning Accelerator(NVDLA) archite

Jasbir 65 Jun 3, 2022
Reverse engineering / documenting the SSC (qcom Snapdragon Sensor Core) or SLPI.

QRTR / QMI sensor daemon Device setup (pmos) Install deps sudo apk add alpine-sdk sshfs eudev-dev qrtr-dev Mount build dir First on host setup USB net

Caleb Connolly 11 Jun 21, 2022
Reverse engineering Genshin Impact anticheat to study how anticheats work on the Windows operating system.

mhyprot2 - Reverse engineering Genshin Impact anticheat for study 1. Demonstration video 2. Screenshots 2.1 Panel 3. Future updates and questions As I

João Vitor 35 Jun 26, 2022
Violent Fungus is a command and control (C2) software suite, providing red teams post-exploitation persistence and other juicy stuff.

Violent Fungus is a command and control (C2) software suite, providing red teams post-exploitation persistence and other juicy stuff.

Chris Humphries 33 Jun 29, 2022
Techniques based on named pipes for pool overflow exploitation targeting the most recent (and oldest) Windows versions

Table of Contents Table of Contents Introduction Named-Pipes Introduction Exploitation Spraying the non-paged pool Memory Disclosure/Arbitrary Read Co

null 131 Jul 2, 2022
A list of excellent resources for anyone to deepen their understanding with regards to Windows Kernel Exploitation and general low level security.

WinKernel-Resources A list of excellent resources for anyone trying to deepen their understanding with regards to Windows Kernel Exploitation and gene

Vector Security 36 May 30, 2022
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors".

COBALT STRIKE 4.4 Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to exe

Trewis [work] Scotch 81 Jun 19, 2022
Vulnerability Exploitation Code Collection Repository

Introduction expbox is an exploit code collection repository List Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution curl -i -s -k -X $'POST' -H $'Hos

0x0021h 263 Feb 14, 2022