Friday, September 2, 2016

RootMe - ELF32 - Stack buffer overflow basic 1



ELF32 - Stack buffer overflow basic 1 ~ RootMe

Environment:
Attacker: Putty on Windows OS
Vulnerable Machine:
URL: https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-1
Target: .passwd

Walk-Through:

1) This this buffer overflow example we are using SSH to gain access to a machine and practice a buffer overflow. In this example we need the .passwd file for credit and we need elevated permissions in order to do so. In my case I am using Putty to SSH from a Windows box, on a Linux box like Kali i could just use the ssh command.

The challenge gives you the connection information:

Input into Putty:



After login:


2) Once I look at the file system I can see that all of our files are located in this directory. The source code for the C program is located in the directory ans I have the ability to view it (It is also located on the challenge webpage). I do not have the ability to view the .passwd file however. Let's see what ch13 does.



3)  Looking at the code tells me everything that I need to know.

It looks like the program creates a 40 char buffer and then gives a fgets() function that will allow us to put something into the buffer. The fget allows for 45 characters which is what is going to allow us to overflow the buffer. The program then checks to see if the buffer = 0xdeadbeef and if it does it spawns a shell. deadbeef is what we are going to want to overflow with.

4) I'm going to Python to assist me in overflowing the buffer. This command will pipe 40 letter A's into the ch13 program.

 
I've changed the buffer and the program tells me that I'm on the right path. Now I'm going to add in the characters that I want to overflow with.
 

It looks like my overflow got jumbled in the process and therefore it did not call the shell. Maybe I can rearrange it in order to get it to work.



This has allowed me to overflow the buffer and execute the new shell. But, my shell did not execute. I believe that it is due to a timeout issue. Let me pipe the catted python command to the program and see if that works.


That's more like it. A simple whoami command confirms that I have elevated privileges.

5) Grab the password and collect your points!!!










2 comments:

  1. Hi,
    I am newbie. Would you mind explanning your shellcode[1] clearly?
    [1]: cat <(python -c 'print "a"*40 + "\xde\xef\de\xad"' - | ./ch13

    Why it's need "-", "cat"?

    why did you not use `python -c 'print "a"*40 + "\xde\xef\de\xad"' | ./ch13`

    Thank for reading!

    ReplyDelete