I’ll be working through the Fusion challenges and posting my solution to each level here. These challenges are a step above Phoenix. If you haven’t completed those, or don’t already have the requisite knowledge, I suggest you either try those or read my solutions to them here: https://blog.lamarranet.com/index.php/exploit-education-phoenix-solutions/. I’ll also be using these exercises to learn how to use pwntools.
This post will describe how to get setup to follow along.
Fusion is the next step from the Phonenix setup, and covers more advanced styles of exploitation, and covers a variety of anti-exploitation mechanisms such as:
- Address Space Layout Randomisation
- Position Independent Executables
- Non-executable Memory
- Source Code Fortification (_DFORTIFY_SOURCE=)
- Stack Smashing Protection (ProPolice / SSP)
In addition to the above, there are a variety of other challenges and things to explore, such as:
- Cryptographic issues
- Timing attacks
- Variety of network protocols (such as Protocol Buffers and Sun RPC)
At the end of Fusion, the participant will have a through understanding of exploit prevention strategies, associated weaknesses, various cryptographic weaknesses, numerous heap implementations.
When writing these solutions, I assume that you have either completed the Phoenix challenges, read through my solutions to the Phoenix challenges, or simply already have the knowledge to be able to complete them.
I’ll still be as detailed as I can while leaving out some basic techniques, such as finding the distance from the start of a buffer to the saved return address.
It shouldn’t matter which host OS you’re using. I switch between using Windows 10 and Arch Linux as my host OS. Regardless, I’ll be using an Arch Linux VM to attack the Fusion VM from. Here’s what you’ll need:
- On the host OS:
- VirtualBox (you can use a different hypervisor if you want)
- On the attacking machine:
- Python 3
I won’t be going over how to install VirtualBox (you can follow their documentation) or how to setup a Linux VM to attack from. But I will cover installing pwntools and creating the Fusion VM.
Python 3 & Pwntools
From the terminal on your attacking machine, you can install Python 3 and pwntools:
$ sudo -i # apt update # apt upgrade -y # apt install -y python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential # python3 -m pip install --upgrade pip # python3 -m pip install --upgrade git+https://github.com/Gallopsled/pwntools.git@dev
$ sudo -i # pacman -Syu # pacman -S --no-confirm python python-pip git openssl libffi # python -m pip install --upgrade pip # python -m pip install --upgrade git+https://github.com/Gallopsled/pwntools.git@dev
Creating the VM
You can download the ISO used to boot the VM from here:
- Open VirtualBox and click the “New” button to create a new VM.
- Enter a name (e.g. “Fusion”), select “Linux” for type, and “Ubuntu (32-bit)” for Version. Click Next.
- The default of 1024 MB for RAM should be fine. Click Next.
- Select “Do not add a virtual hard disk.” Click Create.
- Click “Continue” on the warning about creating a new Vm without a hard disk.
- Right-click on the newly-created VM and select “Settings…” Go to “Storage.”
- Select the “Empty” disc drive under “Controller: IDE”, click the small disc icon/dropdown, select “Choose Virtual Optical Disk File…”
- Browse to where you’ve saved the downloaded ISO and open it.
- Check the box for “Live CD/DVD.”
- Select “Audio” on the left menu and uncheck “Enable Audio.”
- Select “Network” on the left menu and change the adapter type from NAT to Host-only.
- Click OK to close the settings.
Go ahead and boot the VM. Just keep in mind that it’s booting from an ISO and not a drive. So any changes you make to the file system will be reverted after a reboot.
NOTE: If you're using your host as the attacking machine, reverse shells may not work properly with the "host-only" network. If this is the case, try using a bridged adapter for your VM.
You can log in with the username of
fusion and password
godmode. To get root for debugging purposes, you can use the
root account with the password
You should now be ready to go.