RootMe - ELF32 - Stack buffer overflow basic 2 ~ RootMe
Attacker: Putty on Windows OS
1) This this buffer overflow example we are using SSH to gain access to a
machine and practice a buffer overflow. In this example we need the
.passwd file for credit and we need elevated permissions in order to do
so. In my case I am using Putty to SSH from a Windows box, on a Linux
box like Kali i could just use the ssh command.
The challenge gives you the connection information:
Input into Putty:
2) Once I look at the file system I can see that all of our files are
located in this directory. The source code for the C program is located
in the directory ans I have the ability to view it (It is also located
on the challenge webpage). I do not have the ability to view the .passwd
file however. Let's see what ch15 does.
3) Looking at the code tells me everything that I need to know.
The program starts by creating two function one called shell() and one called sup(). Then we get into main where an integer called var is created with no initial value. Then we get to a void statement. This statement takes func and points it to sup. This means that unless we are able to overflow the buffer created on the next line the function that is run at the end will be sup. We can see that the buffer is created as 128 characters but once again we can use fget to write 133 characters.
4) Looks like I am going to use python again to feed ch15 a buffer overflow. Remembering the trick that I had to use before with cat in basic 1 to get my shell to not immediately time out I set out trying to get it to work. This one took me some time before I finally realized what I needed to feed the program in order to get the shell.
I knew that I needed to overflow in order to call the shell() function. I now needed to figure out how to call that function with the overflow. I used objdump to get more information.
I was able to see that <shell> is stored here:
Using that info I was able to overflow the buffer and grab the escalated privilege shell.