Friday, September 2, 2016

RootMe - ELF32 - Stack buffer overflow basic 2

 RootMe - ELF32 - Stack buffer overflow basic 2 ~ RootMe

Environment:
Attacker: Putty on Windows OS
Vulnerable Machine:
URL: https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-2
Target: .passwd

Walk-Through:

1) This this buffer overflow example we are using SSH to gain access to a machine and practice a buffer overflow. In this example we need the .passwd file for credit and we need elevated permissions in order to do so. In my case I am using Putty to SSH from a Windows box, on a Linux box like Kali i could just use the ssh command.

The challenge gives you the connection information:

Input into Putty:



After login:


2) Once I look at the file system I can see that all of our files are located in this directory. The source code for the C program is located in the directory ans I have the ability to view it (It is also located on the challenge webpage). I do not have the ability to view the .passwd file however. Let's see what ch15 does.

3)  Looking at the code tells me everything that I need to know.
 

The  program starts by creating two function one called shell() and one called sup(). Then we get into main where an integer called var is created with no initial value. Then we get to a void statement. This statement takes func and points it to sup. This means that unless we are able to overflow the buffer created on the next line the function that is run at the end will be sup. We can see that the buffer is created as 128 characters but once again we can use fget to write 133 characters.

4) Looks like I am going to use python again to feed ch15 a buffer overflow. Remembering the trick that I had to use before with cat in basic 1 to get my shell to not immediately time out I set out trying to get it to work. This one took me some time before I finally realized what I needed to feed the program in order to get the shell.

I knew that I needed to overflow in order to call the shell() function. I now needed to figure out how to call that function with the overflow. I used objdump to get more information.


I was able to see that <shell> is stored here:


Using that info I was able to overflow the buffer and grab the escalated privilege shell.






No comments:

Post a Comment