Pheonix stack-five write-up


Intro

As opposed to executing an existing function in the binary, this time we’ll be introducing the concept of “shell code”, and being able to execute our own code. the concept of a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. I’ll make a tutorial that describes how to make your own shellcode but for the sake of this write-up we will use others  shellcode.

Solution: 

As always I’ll follow my previous strategy:

  1. finding the address of where buffer starts
  2. filler bytes to reach the return address (rip) 
  3. but sufficient nops so there’s no SEG FAULT 
  4. overwrite the return address with the address of nop sleds
  5. the shellcode 

So that we have the steps now we will discuss them in details:

  1. If you reach this far i think it’s easy by now for you to determine the address where the buffer starts, set breakpoint at this address (gdb)break *0x0000000000400599 then examine the rax register with (gdb) i r rax i got this value 0x7fffffffe5b0 keep in mind that the value may be different from yours so now we have the address where the buffer starts let’s move to the next step step 
  2. In this step we want to determine the size of our filler bytes, for this let’s put breakpoint (gdb) break *0x4005a1 and to get the address where the rip is stored type (gdb) x/2wx $rbp + 0x8, we know from previous write-ups that thee return address is located above the rbp register so our address is 0x7fffffffe638 and if we subtract this address from the buffer address we get how many bytes we have to fill  (gdb) p 0x7fffffffe638 – 0x7fffffffe5b0 we will get 0x88 which equals 136 in decimal now that we know the size of the filler bytes needed to reach the RIP 
  3. Now we want to pick appropriate nop sleds in order to reach the shell code without any SEG FAULT or anything that will rune the exploit, In case if you don’t know what nop sled is  no operation is an assembly language instruction, programming language statement, or computer protocol command that does nothing with opcode of (x90),so we will fill our stack with some nopes I have put 90 bytes if nops and worked for me it’s okay if you increase or decrease the number if that will not trigger some Exception in the stack here’s a picture of my stack until now if you noticed the address 0x7fffffffe690
  4. The address 0x7fffffffe690 indicates the nop sled address in the stack which will do nothing as described above and it will keep sliding towards the shellcode Note also here we can change this address but the most important thing is that it has to be address of nop sled 
  5. now we reached the point where we will put the shellcode I found a shell code from http://shell-storm.org/shellcode/files/shellcode-806.php “\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05” as i said I’ll make a tutorial about how to create your own shellcode 

Here’s a final picture of the stack 

and this is our exploit in python 

I hope you enjoyed my write-up any comment or suggest is appreciated you can contact me via my e-mail address: omaroobaniessa@gmail.com 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s