This is the shellcode we are going to use for this challenge : You can get shellcodes from shell-storm or from exploit-db, of course there are a lot of other resources, I’m just giving examples. And this binary is suid … so if we execute shellcode that executes /bin/sh with the binary we will get a root shell. So what’s a shellcode ? Simply it’s a piece of code (“written in hex in our situation”) that we use as a payload to execute something. we will fill the buffer with “A” as always, we will reach the EIP and overwrite it with a new address that points to our shell code (4 bytes after), then we will add something called NOP (No Operation), then finally the shellcode. That was another practical way to find the buffer’s size.īefore we build our exploit let’s just understand the idea of the exploit. We will substract them from each other:Īnd we get 76, the same result we got using metasploit. We know that the buffer comes first then the EIP so the EIP’s address is greater than the buffer’s address. If we type x/24wx $esp it will show us ( x/) 24 ( 24wx) words at the top of the stack ( $esp).Īt the second line we see this address 0xbffff730 and it holds values of 0x41414141 and we already know that 41 is the hex of “A” which was our input to the program so we know that this address is where the buffer starts. Metasploit is cool but what if we don’t have metasploit in some situation ? We can do it manually by calculating the distance between the buffer start address and the EIP address, We have already got the EIP address so let’s get the start of the buffer. Let’s take a break and take a quick look at another way to get the buffer size, I wanted to show this quickly because we have already done 50 % of it. The last 2 lines show saved registers : eip at 0xbffff77c Another way to get the buffer size It will execute and stop at the breakpoint, by typing info frame we can get the EIP address Then we will run the program and pass any input, many A’s is always good Then we will disassemble the main functionīy looking at that we can identify the best place to set our break point, and it’s gonna be before the leave instruction, leave is right before the return instruction, next to leave we see the address 0x080483d9 so we will type : We will set the disassembly flavor to intel This time we don’t have a function to execute ,we have to find the address of the EIP and make it point to our “evil input” (shellcode), I will explain in a moment. Last time we have overwritten the EIP address with the address of win() function. Before we start I have to say that the memory addresses may differ, so mine won’t be the same as yours. Now let’s run gdb again and start getting useful information. If you are just searching for suid binaries you can remove the grep command and it will list all suid binaries in the specified directory. As I said before we will exploit this binary to get a root shell, but how to know if it’s a suid binary or not ? we can simply use find to know thatįind /opt/protostar/bin/ -perm -4000 | grep stack5Īnd we get /opt/protostar/bin/stack5, if it wasn’t a suid binary we wouldn’t get any output. pattern_offset.rb -q 63413563Īnd we get exact match at offset 76. It crashes at 0圆3413563, now we will use pattern_offset. We have the source like all the previous challenges but this time it’s actually not important. Read the previous articles first, if you haven’t done yet. stuff that are more like CTF but this time we have a realistic situation, Without wasting more time let’s just jump right in. All the previous exploits wanted us to change a variable, execute a function. This is also the most realistic exploit so far. Hey I’m back with another Buffer Overflow article and today we are going to do a really interesting exploit, Today we will finally escalate privileges using a vulnerable suid binary (you can know more about that by reading the first buffer overflow article), I will also cover some interesting topics to fully understand this exploit.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |